diff --git a/admin.go b/admin.go index 6d308ab..d191832 100644 --- a/admin.go +++ b/admin.go @@ -38,6 +38,8 @@ func adminLoginHandler(w http.ResponseWriter, r *http.Request) { Value: base64.StdEncoding.EncodeToString([]byte(username + ":" + hashPassword(password))), Path: "/admin/", HttpOnly: true, + SameSite: http.SameSiteStrictMode, + Secure: true, }) http.Redirect(w, r, "/admin/", http.StatusSeeOther) } @@ -61,8 +63,8 @@ func isAdmin(r *http.Request) bool { return false } var username, passwordHash string - regexp := regexp.MustCompile(`^([^:]+):([a-f0-9]+)$`) - matches := regexp.FindStringSubmatch(string(decoded)) + regex := regexp.MustCompile(`^([^:]+):([a-f0-9]+)$`) + matches := regex.FindStringSubmatch(string(decoded)) if len(matches) != 3 { return false } diff --git a/klice.go b/klice.go index 66bcae3..4ec4690 100644 --- a/klice.go +++ b/klice.go @@ -54,6 +54,7 @@ func loginHandler(w http.ResponseWriter, r *http.Request) { Path: "/", HttpOnly: true, SameSite: http.SameSiteStrictMode, + Secure: true, } http.SetCookie(w, cookie) @@ -61,7 +62,7 @@ func loginHandler(w http.ResponseWriter, r *http.Request) { if err == nil { redir.MaxAge = -1 http.SetCookie(w, redir) - http.Redirect(w, r, redir.Value, http.StatusSeeOther) + http.Redirect(w, r, safeRedirectURL(redir.Value), http.StatusSeeOther) } else { http.Redirect(w, r, "/team", http.StatusSeeOther) } @@ -110,6 +111,7 @@ func isLoggedIn(w http.ResponseWriter, r *http.Request) (bool, int) { Path: "/", HttpOnly: true, SameSite: http.SameSiteStrictMode, + Secure: true, } http.SetCookie(w, redir) http.Redirect(w, r, "/login", http.StatusSeeOther) @@ -330,6 +332,13 @@ func qrHandler(w http.ResponseWriter, r *http.Request) { } } +func safeRedirectURL(u string) string { + if strings.HasPrefix(u, "/") && !strings.HasPrefix(u, "//") { + return u + } + return "/team" +} + func main() { var err error db, err = sql.Open("sqlite3", dbFile+"?_fk=on")