-
v0.3.4 Stable
released this
2026-07-10 19:40:39 +00:00 | 0 commits to main since this releaseSecurity
This release fixes three vulnerabilities identified in a security review. Upgrade is recommended for all deployments using
password protection.- Authentication Bypass (High, CWE-287): Password-protected sites could be accessed with any non-empty cookie when
authSecretKeywas not configured (the default).verifyAuthCookie()/verifyBranchAuthCookie()no longer accept any non-empty cookie; with no secret key they now fail
closed.New()auto-generates a strong randomauthSecretKey(32 bytes) at startup when none is configured, so cookie signatures
are always enforced (secure by default).- Cookies are always signed (removed the unsigned fallback).
- A startup warning recommends setting
authSecretKeyexplicitly for stable sessions across restarts and multi-instance/HA
deployments.
- Stored XSS via
.redirects(Medium, CWE-79):formatRedirectList()now HTML-escapes rule values on the/LOAD_REDIRECTS
page. - HTML Injection (Medium, CWE-79):
username,repository,custom_domain, and error strings are now escaped via
html.EscapeString()in the login pages, the default error page, and the/LOAD_REDIRECTSpages.
All fixes use only the Go standard library to remain Yaegi-compatible.
Tests
- Added
security_test.gowith regression tests for all three issues: auth bypass fails closed, key auto-generation, forged /
tampered / cross-repo / wrong-key cookie rejection, and HTML escaping in the redirect list, login pages, and error page.
Upgrade Notes
- If you use password protection and have not set
authSecretKey, a random key is now generated at each startup. Existing
cookies are invalidated on restart and separate instances won't share sessions — setauthSecretKeyexplicitly for
stable/multi-instance behaviour.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Authentication Bypass (High, CWE-287): Password-protected sites could be accessed with any non-empty cookie when