rdelaage
/
gitea
mirror of https://github.com/go-gitea/gitea.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
gitea/services
History
KN4CK3R c6c829fe3f
Enhanced auth token / remember me (#27606) 
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
 		2023-10-14 00:56:41 +00:00
..
actions Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
agit Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
asymkey Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
attachment Even more `db.DefaultContext` refactor (#27352) 2023-10-03 10:30:41 +00:00
auth Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
automerge Improve queue and logger context (#24924) 2023-05-26 07:31:55 +00:00
context Another round of `db.DefaultContext` refactor (#27103) 2023-09-25 13:17:37 +00:00
convert Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
cron Fix data-race bug when accessing task.LastRun (#27584) 2023-10-11 14:51:20 +00:00
externalaccount More `db.DefaultContext` refactor (#27265) 2023-09-29 12:12:54 +00:00
feed More `db.DefaultContext` refactor (#27265) 2023-09-29 12:12:54 +00:00
forms Add support for forking single branch (#25821) 2023-09-29 09:48:39 +08:00
gitdiff Even more `db.DefaultContext` refactor (#27352) 2023-10-03 10:30:41 +00:00
indexer Update status and code index after changing the default branch (#27018) 2023-09-13 04:43:31 +00:00
issue Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
lfs Bump github.com/golang-jwt/jwt to v5 (#25975) 2023-07-19 09:57:10 +00:00
mailer Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
markup make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
migrations Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
mirror Even more `db.DefaultContext` refactor (#27352) 2023-10-03 10:30:41 +00:00
notify Update status and code index after changing the default branch (#27018) 2023-09-13 04:43:31 +00:00
org make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
packages Another round of `db.DefaultContext` refactor (#27103) 2023-09-25 13:17:37 +00:00
pull Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
release Even more `db.DefaultContext` refactor (#27352) 2023-10-03 10:30:41 +00:00
repository Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
secrets Refactor secrets modification logic (#26873) 2023-09-05 15:21:02 +00:00
task Fix unexpected context canceled when migrating repository (#27368) 2023-10-01 12:04:35 +00:00
uinotification Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
user Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
webhook make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
wiki Even more `db.DefaultContext` refactor (#27352) 2023-10-03 10:30:41 +00:00