Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper PAM authorization handling #6810

Closed
1 task done
ysf opened this issue Mar 6, 2022 · 6 comments · Fixed by #6819
Closed
1 task done

Improper PAM authorization handling #6810

ysf opened this issue Mar 6, 2022 · 6 comments · Fixed by #6819
Assignees
@ysf
Labels
🔒 security Categorizes as related to security

Comments

@ysf
Copy link
Contributor

ysf commented Mar 6, 2022
edited by unknwon
Loading

Gogs version

<= 0.13

Git version

N/A

Operating system

Archlinux

Database

n/a

Describe the bug

The security policy states not disclosing anything. So here is the report on huntr.dev it is only viewable to people with write access to this repository, an me: https://huntr.dev/bounties/ea82cfc9-b55c-41fe-ae58-0d0e0bd7ab62/

To reproduce

See report

Expected behavior

See report

Additional context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@ysf ysf added the 💊 bug Something isn't working label Mar 6, 2022
@unknwon unknwon changed the title Improper Authorization handling ( Improper Authorization handling Mar 6, 2022
@unknwon unknwon changed the title Improper Authorization handling Improper authorization handling Mar 6, 2022
@unknwon unknwon added 🔒 security Categorizes as related to security and removed 💊 bug Something isn't working labels Mar 6, 2022
@unknwon
Copy link
Member

unknwon commented Mar 6, 2022

Approved on huntr.dev, thank you!

@unknwon unknwon changed the title Improper authorization handling Improper PAM authorization handling Mar 6, 2022
@unknwon
Copy link
Member

unknwon commented Mar 8, 2022

@ysf You already included a potential fix in the report, do you wanna do a PR or do you prefer me to investigate? (former is faster).

@ysf
Copy link
Contributor Author

ysf commented Mar 8, 2022

The idea was that you can look of the patch suits you. If so, I'll push it to a branch. Regular it's not possible to pick up the other bounty.

I'll create a PR asap.

ysf added a commit to ysf/gogs that referenced this issue Mar 8, 2022
@ysf
fix: pam authorization
aad554a 
gogs#6810
@ysf ysf mentioned this issue Mar 8, 2022
Merged
3 tasks
@ysf
Copy link
Contributor Author

ysf commented Mar 8, 2022

There it is. Sry for my github inconvenience.

@unknwon unknwon linked a pull request Mar 8, 2022 that will close this issue
security: fix improper PAM authorization handling #6819
Merged
3 tasks
@unknwon
Copy link
Member

unknwon commented Mar 8, 2022
edited
Loading

FYI I will conduct a patch release 0.12.5 before I hit the "Confirm Fix" button on huntr.dev.

@unknwon
Copy link
Member

unknwon commented Mar 11, 2022

The 0.12.5 has been released that includes the patch of the reported issue.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ysf ysf

Labels
🔒 security Categorizes as related to security
Projects
Gogs Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security: fix improper PAM authorization handling ysf/gogs
2 participants
@ysf @unknwon