Do not display the raw OpenID error in the UI (#5705)

zeripath · techknowlogick · commit 2b36bdd4902a · 2019-01-12T14:24:47.000-05:00
* Do not display the raw OpenID error in the UI If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid section of the app.ini, it is possible that gitea can leak sensitive information about the local network through the error provided by the UI. This PR hides the error information and logs it. Fix #4973 Signed-off-by: Andrew Thornton <art27@cantab.net> * Update auth_openid.go Place error log within the `err != nil` branch.
diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go
@@ -115,7 +115,8 @@ func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {
 	redirectTo := setting.AppURL + "user/login/openid"
 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)
 	if err != nil {
-		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
+		log.Error(1, "Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())
+		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)
 		return
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,8 @@ func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {`
`115`	`115`	`redirectTo := setting.AppURL + "user/login/openid"`
`116`	`116`	`url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)`
`117`	`117`	`if err != nil {`
`118`		`- ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)`
	`118`	`+ log.Error(1, "Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())`
	`119`	`+ ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)`
`119`	`120`	`return`
`120`	`121`	`}`
`121`	`122`