Use Req.URL.RequestURI() to cope with FCGI urls (#9473)

* Use Req.URL.RequestURI() to cope with FCGI urls

* Add debug logging statement when forbidden in internal API.
This commit is contained in:
zeripath 2019-12-24 00:11:12 +00:00 committed by GitHub
parent 546523a57c
commit 017f314b5a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 17 additions and 15 deletions

View file

@ -410,7 +410,7 @@ relation to port exhaustion.
NB: You must `REDIRECT_MACARON_LOG` and have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`. NB: You must `REDIRECT_MACARON_LOG` and have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.
- `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template - `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template
- `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default gitea logger.) - `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default gitea logger.)
- `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log. - `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log.
- The following variables are available: - The following variables are available:
- `Ctx`: the `macaron.Context` of the request. - `Ctx`: the `macaron.Context` of the request.
- `Identity`: the SignedUserName or `"-"` if not logged in. - `Identity`: the SignedUserName or `"-"` if not logged in.

View file

@ -143,7 +143,7 @@ log using the value: `ACCESS = ,`
This value represent a go template. It's default value is: This value represent a go template. It's default value is:
`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"` `{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`
The template is passed following options: The template is passed following options:

View file

@ -49,7 +49,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
if ctx.Req.URL.Path != "/user/settings/change_password" { if ctx.Req.URL.Path != "/user/settings/change_password" {
ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
return return
} }
@ -61,7 +61,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
} }
// Redirect to dashboard if user tries to visit any non-login page. // Redirect to dashboard if user tries to visit any non-login page.
if options.SignOutRequired && ctx.IsSigned && ctx.Req.RequestURI != "/" { if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {
ctx.Redirect(setting.AppSubURL + "/") ctx.Redirect(setting.AppSubURL + "/")
return return
} }
@ -83,7 +83,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
return return
} }
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
ctx.Redirect(setting.AppSubURL + "/user/login") ctx.Redirect(setting.AppSubURL + "/user/login")
return return
} else if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm { } else if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
@ -118,7 +118,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
// Redirect to log in page if auto-signin info is provided and has not signed in. // Redirect to log in page if auto-signin info is provided and has not signed in.
if !options.SignOutRequired && !ctx.IsSigned && !auth.IsAPIPath(ctx.Req.URL.Path) && if !options.SignOutRequired && !ctx.IsSigned && !auth.IsAPIPath(ctx.Req.URL.Path) &&
len(ctx.GetCookie(setting.CookieUserName)) > 0 { len(ctx.GetCookie(setting.CookieUserName)) > 0 {
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
ctx.Redirect(setting.AppSubURL + "/user/login") ctx.Redirect(setting.AppSubURL + "/user/login")
return return
} }

View file

@ -15,7 +15,7 @@ import (
func RequireRepoAdmin() macaron.Handler { func RequireRepoAdmin() macaron.Handler {
return func(ctx *Context) { return func(ctx *Context) {
if !ctx.IsSigned || !ctx.Repo.IsAdmin() { if !ctx.IsSigned || !ctx.Repo.IsAdmin() {
ctx.NotFound(ctx.Req.RequestURI, nil) ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
return return
} }
} }
@ -25,7 +25,7 @@ func RequireRepoAdmin() macaron.Handler {
func RequireRepoWriter(unitType models.UnitType) macaron.Handler { func RequireRepoWriter(unitType models.UnitType) macaron.Handler {
return func(ctx *Context) { return func(ctx *Context) {
if !ctx.Repo.CanWrite(unitType) { if !ctx.Repo.CanWrite(unitType) {
ctx.NotFound(ctx.Req.RequestURI, nil) ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
return return
} }
} }
@ -39,7 +39,7 @@ func RequireRepoWriterOr(unitTypes ...models.UnitType) macaron.Handler {
return return
} }
} }
ctx.NotFound(ctx.Req.RequestURI, nil) ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
} }
} }
@ -63,7 +63,7 @@ func RequireRepoReader(unitType models.UnitType) macaron.Handler {
ctx.Repo.Permission) ctx.Repo.Permission)
} }
} }
ctx.NotFound(ctx.Req.RequestURI, nil) ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
return return
} }
} }
@ -96,6 +96,6 @@ func RequireRepoReaderOr(unitTypes ...models.UnitType) macaron.Handler {
args = append(args, ctx.Repo.Repository, ctx.Repo.Permission) args = append(args, ctx.Repo.Repository, ctx.Repo.Permission)
log.Trace(format, args...) log.Trace(format, args...)
} }
ctx.NotFound(ctx.Req.RequestURI, nil) ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
} }
} }

View file

@ -204,7 +204,7 @@ func newMacaronLogService() {
func newAccessLogService() { func newAccessLogService() {
EnableAccessLog = Cfg.Section("log").Key("ENABLE_ACCESS_LOG").MustBool(false) EnableAccessLog = Cfg.Section("log").Key("ENABLE_ACCESS_LOG").MustBool(false)
AccessLogTemplate = Cfg.Section("log").Key("ACCESS_LOG_TEMPLATE").MustString( AccessLogTemplate = Cfg.Section("log").Key("ACCESS_LOG_TEMPLATE").MustString(
`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`) `{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`)
Cfg.Section("log").Key("ACCESS").MustString("file") Cfg.Section("log").Key("ACCESS").MustString("file")
if EnableAccessLog { if EnableAccessLog {
options := newDefaultLogOptions() options := newDefaultLogOptions()

View file

@ -45,7 +45,7 @@ func Home(ctx *context.Context) {
} else if ctx.User.MustChangePassword { } else if ctx.User.MustChangePassword {
ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.RequestURI, 0, setting.AppSubURL) ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
} else { } else {
user.Dashboard(ctx) user.Dashboard(ctx)

View file

@ -9,6 +9,7 @@ import (
"strings" "strings"
"code.gitea.io/gitea/models" "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"gitea.com/macaron/macaron" "gitea.com/macaron/macaron"
@ -19,6 +20,7 @@ func CheckInternalToken(ctx *macaron.Context) {
tokens := ctx.Req.Header.Get("Authorization") tokens := ctx.Req.Header.Get("Authorization")
fields := strings.Fields(tokens) fields := strings.Fields(tokens)
if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken { if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken {
log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)
ctx.Error(403) ctx.Error(403)
} }
} }

View file

@ -97,13 +97,13 @@ func RouterHandler(level log.Level) func(ctx *macaron.Context) {
return func(ctx *macaron.Context) { return func(ctx *macaron.Context) {
start := time.Now() start := time.Now()
_ = log.GetLogger("router").Log(0, level, "Started %s %s for %s", log.ColoredMethod(ctx.Req.Method), ctx.Req.RequestURI, ctx.RemoteAddr()) _ = log.GetLogger("router").Log(0, level, "Started %s %s for %s", log.ColoredMethod(ctx.Req.Method), ctx.Req.URL.RequestURI(), ctx.RemoteAddr())
rw := ctx.Resp.(macaron.ResponseWriter) rw := ctx.Resp.(macaron.ResponseWriter)
ctx.Next() ctx.Next()
status := rw.Status() status := rw.Status()
_ = log.GetLogger("router").Log(0, level, "Completed %s %s %v %s in %v", log.ColoredMethod(ctx.Req.Method), ctx.Req.RequestURI, log.ColoredStatus(status), log.ColoredStatus(status, http.StatusText(rw.Status())), log.ColoredTime(time.Since(start))) _ = log.GetLogger("router").Log(0, level, "Completed %s %s %v %s in %v", log.ColoredMethod(ctx.Req.Method), ctx.Req.URL.RequestURI(), log.ColoredStatus(status), log.ColoredStatus(status, http.StatusText(rw.Status())), log.ColoredTime(time.Since(start)))
} }
} }