From 94223bc41702eaaa5466a4591347d644ff3de4d2 Mon Sep 17 00:00:00 2001 From: tkinaba Date: Mon, 30 Dec 2024 17:41:53 -0300 Subject: [PATCH] fix: base64 encode gzipped data `string(gzippedData)` does not guarantee a UTF-8 sanitized string, which may lead to corrupted data. --- gothic/gothic.go | 7 ++++--- gothic/gothic_test.go | 6 ++++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/gothic/gothic.go b/gothic/gothic.go index 0c32caff1..315beb3ff 100644 --- a/gothic/gothic.go +++ b/gothic/gothic.go @@ -330,7 +330,7 @@ func GetFromSession(key string, req *http.Request) (string, error) { session, _ := Store.Get(req, SessionName) value, err := getSessionValue(session, key) if err != nil { - return "", errors.New("could not find a matching session for this request") + return "", err } return value, nil @@ -343,7 +343,8 @@ func getSessionValue(session *sessions.Session, key string) (string, error) { } rdata := strings.NewReader(value.(string)) - r, err := gzip.NewReader(rdata) + b64Reader := base64.NewDecoder(base64.StdEncoding, rdata) + r, err := gzip.NewReader(b64Reader) if err != nil { return "", err } @@ -368,6 +369,6 @@ func updateSessionValue(session *sessions.Session, key, value string) error { return err } - session.Values[key] = b.String() + session.Values[key] = base64.StdEncoding.EncodeToString(b.Bytes()) return nil } diff --git a/gothic/gothic_test.go b/gothic/gothic_test.go index bb0254a0a..1815dc70e 100644 --- a/gothic/gothic_test.go +++ b/gothic/gothic_test.go @@ -3,6 +3,7 @@ package gothic_test import ( "bytes" "compress/gzip" + "encoding/base64" "fmt" "html" "io/ioutil" @@ -274,12 +275,13 @@ func gzipString(value string) string { return "err" } - return b.String() + return base64.StdEncoding.EncodeToString(b.Bytes()) } func ungzipString(value string) string { rdata := strings.NewReader(value) - r, err := gzip.NewReader(rdata) + b64Reader := base64.NewDecoder(base64.StdEncoding, rdata) + r, err := gzip.NewReader(b64Reader) if err != nil { return "err" }