Bug 230800 - devel/gogs: Fix open redirect vulnerability
Summary: devel/gogs: Fix open redirect vulnerability
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Steve Wills
URL: https://github.com/gogs/gogs/issues/5364
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-21 13:57 UTC by Dmitri Goutnik
Modified: 2018-08-22 21:18 UTC (History)
0 users

See Also:
dmgk: merge-quarterly?

Attachments
patch file (1.06 KB, patch)
2018-08-21 13:57 UTC, Dmitri Goutnik 		dmgk: maintainer-approval+
Details | Diff
vuln.patch (1.48 KB, patch)
2018-08-22 20:26 UTC, Dmitri Goutnik 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitri Goutnik freebsd_committer freebsd_triage 2018-08-21 13:57:41 UTC 
Created attachment 196418 [details]
patch file

- Fix open redirect vulnerability in login action.

Upstream report: https://github.com/gogs/gogs/issues/5364
Upstream patch: https://github.com/gogs/gogs/commit/1f247cf8139cb483276cd8dd06385a800ce9d4b2

QA:
  poudriere testport: OK (112a, 111a, 104i)
Comment 1 Steve Wills freebsd_committer freebsd_triage 2018-08-22 18:24:21 UTC 
Would like to get a comment from upstream before committing and merging this. Can you also create a VuXML entry for this, and add the CVE reference if there is one?

Thanks,
Steve
Comment 2 Dmitri Goutnik freebsd_committer freebsd_triage 2018-08-22 20:26:39 UTC 
Created attachment 196447 [details]
vuln.patch

Hi Steve,

VuXML entry attached, there's no CVE. According to gogs GitHub issue tracker, this issue belongs to 0.12 milestone which has no ETA; I thought it would make sense to get it in early instead of waiting for upstream.
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-08-22 21:03:41 UTC 
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:03:22 UTC 2018
New revision: 477824
URL: https://svnweb.freebsd.org/changeset/ports/477824

Log:
  Document gogs open redirect issue

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org>

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-08-22 21:16:53 UTC 
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:16:16 UTC 2018
New revision: 477825
URL: https://svnweb.freebsd.org/changeset/ports/477825

Log:
  devel/gogs: Fix open redirect vulnerability

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org> (maintainer)
  MFH:		2018Q3
  Security:	e53a908d-a645-11e8-8acd-10c37b4ac2ea

Changes:
  head/devel/gogs/Makefile
  head/devel/gogs/distinfo
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-08-22 21:17:56 UTC 
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:17:29 UTC 2018
New revision: 477826
URL: https://svnweb.freebsd.org/changeset/ports/477826

Log:
  MFH: r477825

  devel/gogs: Fix open redirect vulnerability

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org> (maintainer)
  Security:	e53a908d-a645-11e8-8acd-10c37b4ac2ea

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/gogs/Makefile
  branches/2018Q3/devel/gogs/distinfo
Comment 6 Steve Wills freebsd_committer freebsd_triage 2018-08-22 21:18:35 UTC 
Committed, thanks especially for the VuXML entry!