finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Handle base64 decoding correctly to avoid panic (#26483)

Browse source 
Fix the panic if the "base64 secret" is too long.
This commit is contained in:
wxiaoguang 2023-08-14 18:30:16 +08:00 committed by GitHub
parent cafce3b4b5
commit ed1be4ca68
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 43 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

11
services/auth/source/oauth2/jwtsigningkey.go
View file

@ -336,16 +336,7 @@ func InitSigningKey() error {
// loadSymmetricKey checks if the configured secret is valid.
// If it is not valid, it will return an error.
func loadSymmetricKey() (any, error) {
key := make([]byte, 32)
n, err := base64.RawURLEncoding.Decode(key, []byte(setting.OAuth2.JWTSecretBase64))
if err != nil {
return nil, err
}
if n != 32 {
return nil, fmt.Errorf("JWT secret must be 32 bytes long")
}
return key, nil
return util.Base64FixedDecode(base64.RawURLEncoding, []byte(setting.OAuth2.JWTSecretBase64), 32)
}
// loadOrCreateAsymmetricKey checks if the configured private key exists.