gitea

Mirrors/gitea

Fork 0

mirror of https://github.com/go-gitea/gitea.git synced 2026-02-25 03:46:16 +01:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
silverwind	a0160694b9	Enable `nilnil` linter for new code (#36591 ) Fixes: https://github.com/go-gitea/gitea/issues/36152 Enable the `nilnil` linter while adding `//nolint` comments to existing violations. This will ensure no new issues enter the code base while we can fix existing issues gradually. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-16 09:57:18 +00:00
KN4CK3R	c6c829fe3f	Enhanced auth token / remember me (#27606 ) Closes #27455 > The mechanism responsible for long-term authentication (the 'remember me' cookie) uses a weak construction technique. It will hash the user's hashed password and the rands value; it will then call the secure cookie code, which will encrypt the user's name with the computed hash. If one were able to dump the database, they could extract those two values to rebuild that cookie and impersonate a user. That vulnerability exists from the date the dump was obtained until a user changed their password. > > To fix this security issue, the cookie could be created and verified using a different technique such as the one explained at https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies. The PR removes the now obsolete setting `COOKIE_USERNAME`.	2023-10-14 00:56:41 +00:00

silverwind

a0160694b9

Enable nilnil linter for new code (#36591 )

Fixes: https://github.com/go-gitea/gitea/issues/36152

Enable the `nilnil` linter while adding `//nolint` comments to existing
violations. This will ensure no new issues enter the code base while we
can fix existing issues gradually.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-16 09:57:18 +00:00

KN4CK3R

c6c829fe3f

Enhanced auth token / remember me (#27606 )

Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.

2023-10-14 00:56:41 +00:00

2 Commits