From 96b66e330b9a592093799a50219c8118de6951eb Mon Sep 17 00:00:00 2001
From: leonklingele <5585491+leonklingele@users.noreply.github.com>
Date: Sat, 6 Jul 2019 17:47:09 +0200
Subject: [PATCH] routers/user: ensure that decryption of cookie actually
 suceeds (#7363)

Previously, only the first return value of ctx.GetSuperSecureCookie
was used to check whether decryption of the auth cookie succeeded.
ctx.GetSuperSecureCookie also returns a second value, a boolean,
indicating success or not. That value should be checked first to
be on the safe side and not rely on internal logic of the encryption
and decryption blackbox.
---
 routers/user/auth.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routers/user/auth.go b/routers/user/auth.go
index 0731e3467..576f63057 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, nil
 	}
 
-	if val, _ := ctx.GetSuperSecureCookie(
-		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
+	if val, ok := ctx.GetSuperSecureCookie(
+		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
 		return false, nil
 	}