From 68a40d8b0b9dabddc7bf015a0b337a88fe65930a Mon Sep 17 00:00:00 2001 From: Jett Wang Date: Fri, 17 May 2024 13:47:20 +0800 Subject: [PATCH] 2024-05-17 13:47:07 : fix login xss bug --- assets/buildinfo.txt | 10 +++++----- controllers/index/index.go | 27 +++++++++++++++++++++------ 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/assets/buildinfo.txt b/assets/buildinfo.txt index 82f59ef5..81d7bcf3 100644 --- a/assets/buildinfo.txt +++ b/assets/buildinfo.txt @@ -1,8 +1,8 @@ -BuildVersion=latest v8.0.7 2024-05-16 16:32:57 +BuildVersion=latest v8.0.7 2024-05-17 13:47:07 ReleaseVersion=v8.0.7 -BuildTime=2024-05-16 16:32:57 +BuildTime=2024-05-17 13:47:07 BuildName=toughradius -CommitID=4d7c9e9052d7fe32a9f46cbce9259feb3ee76a17 -CommitDate=Wed, 27 Mar 2024 23:11:47 +0800 +CommitID=b4611353205746fcd10466dda836545c0cc59b37 +CommitDate=Thu, 16 May 2024 16:33:04 +0800 CommitUser=jamiesun.net@gmail.com -CommitSubject=Merge branch 'develop' +CommitSubject=2024-05-16 16:32:57 : fix text error diff --git a/controllers/index/index.go b/controllers/index/index.go index e6099e30..f79e354c 100644 --- a/controllers/index/index.go +++ b/controllers/index/index.go @@ -2,6 +2,7 @@ package index import ( "encoding/json" + "fmt" "net/http" "strings" "time" @@ -29,6 +30,16 @@ var pushers = []string{ "/static/echarts/echarts.min.js", } +const ( + LoginPasswdErr = "wrong password" + LoginUserErr = "user does not exist" + LoginDbErr = "database connection failed" + LoginInputErr = "username and password cannot be empty" + LoginExpired = "User not logged in or login expired" +) + +var LoginErrors = []string{LoginPasswdErr, LoginUserErr, LoginDbErr, LoginInputErr, LoginExpired} + func InitRouter() { // 系统首页 @@ -44,7 +55,7 @@ func InitRouter() { sess, _ := session.Get(webserver.UserSession, c) username := sess.Values[webserver.UserSessionName] if username == nil || username == "" { - return c.Redirect(http.StatusTemporaryRedirect, "/login?errmsg=User not logged in or login expired") + return c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("/login?errmsg=%s", LoginExpired)) } return c.Render(http.StatusOK, "index", map[string]interface{}{}) }) @@ -94,6 +105,10 @@ func InitRouter() { // 登录页面 webserver.GET("/login", func(c echo.Context) error { errmsg := c.QueryParam("errmsg") + // errmsg must in LoginErrors + if !common.InSlice(errmsg, LoginErrors) { + errmsg = "" + } return c.Render(http.StatusOK, "login", map[string]interface{}{ "errmsg": errmsg, "LoginLogo": "/static/images/login-logo.png", @@ -104,7 +119,7 @@ func InitRouter() { isdark := c.Param("isdark") if isdark == "1" { app.GApp().SetSystemTheme("dark") - } else { + } else if isdark == "0" { app.GApp().SetSystemTheme("light") } return c.JSON(http.StatusOK, web.RestSucc("success")) @@ -123,19 +138,19 @@ func InitRouter() { username := c.FormValue("username") password := c.FormValue("password") if username == "" || password == "" { - return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=Username and password cannot be empty") + return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginInputErr)) } var user models.SysOpr err := app.GDB().Where("username=?", username).First(&user).Error if err != nil { if strings.Contains(err.Error(), "dial error") { - return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=Database connection failed") + return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginDbErr)) } - return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=User does not exist") + return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginUserErr)) } if common.Sha256HashWithSalt(password, common.SecretSalt) != user.Password { - return c.Redirect(http.StatusMovedPermanently, "/login?errmsg=wrong password") + return c.Redirect(http.StatusMovedPermanently, fmt.Sprintf("/login?errmsg=%s", LoginPasswdErr)) } sess, _ := session.Get(webserver.UserSession, c)