From adac68d43a56ee0393205ea3e6e9fd1823e84d33 Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Thu, 6 Oct 2022 14:47:32 +0200 Subject: [PATCH 1/3] SessionUser protection against nil pointer dereference `SessionUser` should be protected against passing `sess` = `nil` to avoid. ``` PANIC: runtime error: invalid memory address or nil pointer dereference ``` in https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69 after upgrade from gitea v1.16 to v1.17. Related: https://github.com/go-gitea/gitea/pull/18452 Author-Change-Id: IB#1126459 --- services/auth/session.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/services/auth/session.go b/services/auth/session.go index 6a23a176651ff..22f1d752340f2 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -1,4 +1,4 @@ -// Copyright 2019 The Gitea Authors. All rights reserved. +// Copyright 2022 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. @@ -30,6 +30,10 @@ func (s *Session) Name() string { // object for that uid. // Returns nil if there is no user uid stored in the session. func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User { + if sess == nil { + return nil + } + user := SessionUser(sess) if user != nil { return user From 09628bb6c4c97abd5963091e9d11baf26e8e0fab Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Mon, 24 Oct 2022 18:56:12 +0200 Subject: [PATCH 2/3] Verification moved to correct method Fixes: adac68d43a56ee0393205ea3e6e9fd1823e84d33 Related: https://github.com/go-gitea/gitea/pull/21358 Related: https://github.com/go-gitea/gitea/pull/18452 Author-Change-Id: IB#1126459 --- services/auth/session.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/auth/session.go b/services/auth/session.go index 22f1d752340f2..b1986944bb1de 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -30,10 +30,6 @@ func (s *Session) Name() string { // object for that uid. // Returns nil if there is no user uid stored in the session. func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *user_model.User { - if sess == nil { - return nil - } - user := SessionUser(sess) if user != nil { return user @@ -43,6 +39,10 @@ func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataSto // SessionUser returns the user object corresponding to the "uid" session variable. func SessionUser(sess SessionStore) *user_model.User { + if sess == nil { + return nil + } + // Get user ID uid := sess.Get("uid") if uid == nil { From 33b6cf245480379de28df739d065eb9ba4650531 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bogus=C5=82awski?= Date: Mon, 24 Oct 2022 19:03:28 +0200 Subject: [PATCH 3/3] Update session.go --- services/auth/session.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/auth/session.go b/services/auth/session.go index b1986944bb1de..1ec94aa0af718 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -1,4 +1,4 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. +// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file.