From aeb5655c25053bdcd7eee94ea37df88468374162 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kim=20=22BKC=22=20Carlb=C3=A4cker?=
 <kim.carlbacker@gmail.com>
Date: Thu, 25 Oct 2018 13:53:39 +0200
Subject: [PATCH] Update go-macaron/session to latest mast to fix RCE-bug
 (#5177)

---
 Gopkg.lock                                    |  5 +++--
 vendor/github.com/go-macaron/session/file.go  | 12 +++++------
 .../github.com/go-macaron/session/session.go  | 20 +++++++++++++------
 3 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/Gopkg.lock b/Gopkg.lock
index 82df42154..d084ae118 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -342,14 +342,15 @@
   revision = "d8a0b8677191f4380287cfebd08e462217bac7ad"
 
 [[projects]]
-  digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702"
+  branch = "master"
+  digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc"
   name = "github.com/go-macaron/session"
   packages = [
     ".",
     "redis",
   ]
   pruneopts = "NUT"
-  revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b"
+  revision = "330e4e4d8beb7b00111ac34539561f46f94c4458"
 
 [[projects]]
   digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c"
diff --git a/vendor/github.com/go-macaron/session/file.go b/vendor/github.com/go-macaron/session/file.go
index 438269ea8..9bbc7aed2 100644
--- a/vendor/github.com/go-macaron/session/file.go
+++ b/vendor/github.com/go-macaron/session/file.go
@@ -86,7 +86,7 @@ func (s *FileStore) Release() error {
 		return err
 	}
 
-	return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm)
+	return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600)
 }
 
 // Flush deletes all session data.
@@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string {
 // Read returns raw session store by session ID.
 func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
 	filename := p.filepath(sid)
-	if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
+	if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
 		return nil, err
 	}
 	p.lock.RLock()
@@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
 
 	var f *os.File
 	if com.IsFile(filename) {
-		f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm)
+		f, err = os.OpenFile(filename, os.O_RDONLY, 0600)
 	} else {
 		f, err = os.Create(filename)
 	}
@@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) {
 		if err != nil {
 			return err
 		}
-		if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil {
+		if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil {
 			return err
 		}
-		if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil {
+		if err = ioutil.WriteFile(oldname, data, 0600); err != nil {
 			return err
 		}
 	}
 
-	if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
+	if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
 		return err
 	}
 	if err = os.Rename(oldname, filename); err != nil {
diff --git a/vendor/github.com/go-macaron/session/session.go b/vendor/github.com/go-macaron/session/session.go
index 7e7b833c5..d9bbae203 100644
--- a/vendor/github.com/go-macaron/session/session.go
+++ b/vendor/github.com/go-macaron/session/session.go
@@ -18,15 +18,17 @@ package session
 
 import (
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"gopkg.in/macaron.v1"
 )
 
-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"
 
 func Version() string {
 	return _VERSION
@@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
 	return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
 }
 
-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
+func (m *Manager) sessionID() string {
 	return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
 }
 
@@ -255,10 +257,10 @@ func (m *Manager) sessionId() string {
 func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 	sid := ctx.GetCookie(m.opt.CookieName)
 	if len(sid) > 0 && m.provider.Exist(sid) {
-		return m.provider.Read(sid)
+		return m.Read(sid)
 	}
 
-	sid = m.sessionId()
+	sid = m.sessionID()
 	sess, err := m.provider.Read(sid)
 	if err != nil {
 		return nil, err
@@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 
 // Read returns raw session store by session ID.
 func (m *Manager) Read(sid string) (RawStore, error) {
+	// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+	// See https://github.com/gogs/gogs/issues/5469
+	if strings.ContainsAny(sid, "./") {
+		return nil, errors.New("invalid 'sid': " + sid)
+	}
+
 	return m.provider.Read(sid)
 }
 
@@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {
 
 // RegenerateId regenerates a session store from old session ID to new one.
 func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
-	sid := m.sessionId()
+	sid := m.sessionID()
 	oldsid := ctx.GetCookie(m.opt.CookieName)
 	sess, err = m.provider.Regenerate(oldsid, sid)
 	if err != nil {