fix login for account names with non-ascii chars

we include the username in session cookie values. but cookie values must be ascii-only, go's net/http's drops bad values. the typical solution is to querystring-encode/decode the cookie values, which we'll now do.

problem found by arnt, thanks for reporting!
This commit is contained in:
Mechiel Lukkien
2024-04-11 23:11:31 +02:00
parent d74610c345
commit 666f84edea
4 changed files with 19 additions and 11 deletions

View File

@ -41,6 +41,7 @@ import (
"log/slog"
"net"
"net/http"
"net/url"
"strings"
"time"
@ -154,9 +155,15 @@ func Check(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind stri
return "", "", "", false
}
sessionToken = store.SessionToken(t[0])
accountName = t[1]
var err error
accountName, err = url.QueryUnescape(t[1])
if err != nil {
time.Sleep(BadAuthDelay)
respondAuthError("user:badAuth", "malformed session account name")
return "", "", "", false
}
loginAddress, err = sessionAuth.use(ctx, log, accountName, sessionToken, csrfToken)
if err != nil {
time.Sleep(BadAuthDelay)
@ -258,7 +265,8 @@ func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, coo
// Add session cookie.
http.SetCookie(w, &http.Cookie{
Name: kind + "session",
Value: string(sessionToken) + " " + accountName,
// Cookies values are ascii only, so we keep the account name query escaped.
Value: string(sessionToken) + " " + url.QueryEscape(accountName),
Path: cookiePath,
Secure: isHTTPS(isForwarded, r),
HttpOnly: true,