Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SameSite cookie option applies only to _csrf cookie #15972

Closed
1 of 2 tasks
SagePtr opened this issue May 24, 2021 · 2 comments · Fixed by #15989 or #16037
Closed
1 of 2 tasks

SameSite cookie option applies only to _csrf cookie #15972

SagePtr opened this issue May 24, 2021 · 2 comments · Fixed by #15989 or #16037
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Comments

@SagePtr
Copy link
Contributor

SagePtr commented May 24, 2021
edited
Loading

  • Gitea version (or commit ref): 1.14.2, 1.15.0+dev-344-g5285a3e70
  • Git version: unrelated
  • Operating system: unrelated
  • Database: unrelated
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No

Description

Only _csrf cookie gets SameSite option. The other cookies have no.

Screenshots

image
image
image
@noerw noerw added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label May 25, 2021
zeripath added a commit to zeripath/gitea that referenced this issue May 26, 2021
@zeripath
Fix setting of SameSite on cookies
faff955 
Fix go-gitea#15972

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this issue May 26, 2021
Merged
techknowlogick added a commit that referenced this issue May 27, 2021
@zeripath @techknowlogick
Fix setting of SameSite on cookies (#15989)
6d39053 
Fix #15972

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: techknowlogick <[email protected]>
techknowlogick added a commit to techknowlogick/gitea that referenced this issue May 27, 2021
@zeripath @techknowlogick
Fix setting of SameSite on cookies (go-gitea#15989)
31535a3 
Fix go-gitea#15972

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: techknowlogick <[email protected]>
@techknowlogick techknowlogick mentioned this issue May 27, 2021
Merged
techknowlogick added a commit that referenced this issue May 27, 2021
@techknowlogick @zeripath @lunny
Fix setting of SameSite on cookies (#15989) (#15991)
3a79f11 
Fix #15972

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: techknowlogick <[email protected]>

Co-authored-by: zeripath <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>
@SagePtr
Copy link
Contributor Author

SagePtr commented May 31, 2021
edited
Loading

Mostly fixed, but the cookie "i_like_gitea" (session identifier cookie?) still comes without SameSite:
image
(i cleaned up cookies, so it's not the old cookie)

@zeripath
Copy link
Contributor

I almost missed this comment - please do not comment on closed bugs!

gitea/routers/routes/web.go

Lines 156 to 165 in effad26

routes.Use(session.Sessioner(session.Options{
Provider: setting.SessionConfig.Provider,
ProviderConfig: setting.SessionConfig.ProviderConfig,
CookieName: setting.SessionConfig.CookieName,
CookiePath: setting.SessionConfig.CookiePath,
Gclifetime: setting.SessionConfig.Gclifetime,
Maxlifetime: setting.SessionConfig.Maxlifetime,
Secure: setting.SessionConfig.Secure,
Domain: setting.SessionConfig.Domain,
}))
looks like it's misses setting the SameSite setting. This is probably due to a reversion at some point... I'll pop up a patch.

Damn I thought I checked all of these cookies but obviously missed this.

@zeripath zeripath reopened this May 31, 2021
zeripath added a commit to zeripath/gitea that referenced this issue May 31, 2021
@zeripath
Add missing SameSite settings for the i_like_gitea cookie
7582776 
The i_like_gitea cookie appears to be missing the SameSite settings. I think they
were present at some point but may have been removed in a merge.

This PR ensures that they are set.

Fix go-gitea#15972

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this issue May 31, 2021
Merged
techknowlogick pushed a commit that referenced this issue May 31, 2021
@zeripath
Add missing SameSite settings for the i_like_gitea cookie (#16037)
cbf3083 
The i_like_gitea cookie appears to be missing the SameSite settings. I think they
were present at some point but may have been removed in a merge.

This PR ensures that they are set.

Fix #15972

Signed-off-by: Andrew Thornton <[email protected]>
zeripath added a commit to zeripath/gitea that referenced this issue May 31, 2021
@zeripath
Add missing SameSite settings for the i_like_gitea cookie (go-gitea#1…
8241c05 
…6037)

Backport go-gitea#16037

The i_like_gitea cookie appears to be missing the SameSite settings. I think they
were present at some point but may have been removed in a merge.

This PR ensures that they are set.

Fix go-gitea#15972

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this issue May 31, 2021
Merged
techknowlogick pushed a commit that referenced this issue Jun 1, 2021
@zeripath
Add missing SameSite settings for the i_like_gitea cookie (#16037) (#…
0600f79 
…16039)

Backport #16037

The i_like_gitea cookie appears to be missing the SameSite settings. I think they
were present at some point but may have been removed in a merge.

This PR ensures that they are set.

Fix #15972

Signed-off-by: Andrew Thornton <[email protected]>
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this issue Aug 10, 2021
@zeripath @techknowlogick @AbdulrhmnGhanem
Fix setting of SameSite on cookies (go-gitea#15989)
e7f57df 
Fix go-gitea#15972

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: techknowlogick <[email protected]>
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this issue Aug 10, 2021
@zeripath @AbdulrhmnGhanem
Add missing SameSite settings for the i_like_gitea cookie (go-gitea#1…
b780c64 
…6037)

The i_like_gitea cookie appears to be missing the SameSite settings. I think they
were present at some point but may have been removed in a merge.

This PR ensures that they are set.

Fix go-gitea#15972

Signed-off-by: Andrew Thornton <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
No milestone
3 participants
@zeripath @SagePtr @noerw