aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzeripath2021-06-16 10:06:27 +0100
committerGitHub2021-06-16 05:06:27 -0400
commit946eb1321c620f7fc8938df130809c0522c93613 (patch)
tree12180a8c5467c9fce469dd7fe91adf42a65a5127
parentbc82bb9cda948912954ff75a46863c82b62f7759 (diff)
Only check access tokens if they are likely to be tokens (#16164) (#16171)
Backprt #16164 Gitea will currently check every if every password is an access token even though most passwords are not and cannot be access tokens. By creation access tokens are 40 byte hexadecimal strings therefore only these should be checked. Signed-off-by: Andrew Thornton <art27@cantab.net>
-rw-r--r--models/token.go8
1 files changed, 7 insertions, 1 deletions
diff --git a/models/token.go b/models/token.go
index 1245098df..49541b122 100644
--- a/models/token.go
+++ b/models/token.go
@@ -57,9 +57,15 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
if token == "" {
return nil, ErrAccessTokenEmpty{}
}
- if len(token) < 8 {
+ // A token is defined as being SHA1 sum these are 40 hexadecimal bytes long
+ if len(token) != 40 {
return nil, ErrAccessTokenNotExist{token}
}
+ for _, x := range []byte(token) {
+ if x < '0' || (x > '9' && x < 'a') || x > 'f' {
+ return nil, ErrAccessTokenNotExist{token}
+ }
+ }
var tokens []AccessToken
lastEight := token[len(token)-8:]
err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens)