Browse Source

Only check access tokens if they are likely to be tokens (#16164) (#16171)

Backprt #16164

Gitea will currently check every if every password is an access token even though
most passwords are not and cannot be access tokens.

By creation access tokens are 40 byte hexadecimal strings therefore only these should
be checked.

Signed-off-by: Andrew Thornton <art27@cantab.net>
mj-v1.14.3
zeripath 1 year ago
committed by GitHub
parent
commit
946eb1321c
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 8
      models/token.go

8
models/token.go

@ -57,9 +57,15 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
if token == "" {
return nil, ErrAccessTokenEmpty{}
}
if len(token) < 8 {
// A token is defined as being SHA1 sum these are 40 hexadecimal bytes long
if len(token) != 40 {
return nil, ErrAccessTokenNotExist{token}
}
for _, x := range []byte(token) {
if x < '0' || (x > '9' && x < 'a') || x > 'f' {
return nil, ErrAccessTokenNotExist{token}
}
}
var tokens []AccessToken
lastEight := token[len(token)-8:]
err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens)

Loading…
Cancel
Save