From d5856fece7d9cc70d5888bbee9fd0eeddf91c8da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bogus=C5=82awski?= Date: Mon, 24 Oct 2022 21:05:35 +0200 Subject: [PATCH] SessionUser protection against nil pointer dereference (#21581) Backport #21358 `SessionUser` should be protected against passing `sess` = `nil` to avoid ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: https://github.com/go-gitea/gitea/pull/18452 --- services/auth/session.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/auth/session.go b/services/auth/session.go index 6a23a176651f..1ec94aa0af71 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -39,6 +39,10 @@ func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataSto // SessionUser returns the user object corresponding to the "uid" session variable. func SessionUser(sess SessionStore) *user_model.User { + if sess == nil { + return nil + } + // Get user ID uid := sess.Get("uid") if uid == nil {