Dasko/GoNtech
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Bezbednost: open redirect i kolačići bez Secure atributa

Browse Source 
- _next parametar: sanitizacija preko url.Parse (Host+Scheme prazan = relativan URL)
  umesto ručnog string check-a koji CodeQL nije prepoznavao
- Kolačići: dodat Secure atribut (true u produkciji, false u razvoju)
  na 4 mesta: ntech_sesija brisanje (auth.go, prijava.go),
  ntech_flash_greska postavljanje i brisanje (auth.go, dashboard.go)
This commit is contained in:
Dalibor Marković
2026-06-16 03:32:07 +02:00
parent f9af825a27
commit 532f95848c
4 changed files with 30 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/handler/prijava.go
+7 -5
View File
@@ -262,11 +262,13 @@ func (h *Handler) Odjava(w http.ResponseWriter, r *http.Request) {
_ = h.SesijeRepo.Obrisi(r.Context(), kolacic.Value)
}
http.SetCookie(w, &http.Cookie{
Name: imeKolacica,
Value: "",
Path: "/",
Expires: time.Unix(0, 0),
MaxAge: -1,
Name: imeKolacica,
Value: "",
Path: "/",
Expires: time.Unix(0, 0),
MaxAge: -1,
Secure: os.Getenv("NTECH_ENV") == "production",
HttpOnly: true,
})
http.Redirect(w, r, "/prijava", http.StatusSeeOther)
}