Lang cookie missing secure/httpOnly attributes

[tgurr]

• Gitea version: 1.10.2
• Git version: 2.24.0
• Operating system: Linux
• Database:
  • MySQL
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)

Description

I've configured my Gitea instance with CSRF_COOKIE_HTTP_ONLY and COOKIE_SECURE:

; Set false to allow JavaScript to read CSRF cookie
CSRF_COOKIE_HTTP_ONLY              = true
; If you use session in https only, default is false
COOKIE_SECURE     = true

which works fine, except for the lang cookie that doesn't seem to respect that setting:

resulting in a security scanner complaining about the cookie missing the secure and httpOnly attributes.

[rodolpheh]

I think it all boils down to the i18n module for macaron-go : https://github.com/go-macaron/i18n/blob/5a5348d12f10480196f7376cf48de94fa93eb236/i18n.go#L202

[rodolpheh]

My bad, I just saw that i18n in Gitea is a fork. Anyway, the changes I tried to introduce in go-macaron/i18n#11 works on the i18n version of Gitea. This was tested on a Docker build with latest sources.

[tgurr]

@rodolpheh thanks for your work! Looks like the changes also have been pulled into the i18n Gitea fork in the meantime. Is there any option which allows to enable this or is currently the only way to enable/test this to manually change the settings which are off by default in i18n.go before compiling Gitea?

[rodolpheh]

Sorry I have a terrible memory and barely remembered doing that 😄 . Unfortunately it seems that I haven't pushed any changes that would allow setting those in Gitea. I had to dig a little before finding what I had changed in Gitea to make it work. Please find attached a patch file until a proper push is made on Gitea. I pulled the latest sources to make sure this works so hopefully it should work for you.

After applying this patch, the Secure and HttpOnly flags should be added if you had COOKIE_SECURE and CSRF_COOKIE_HTTP_ONLY set to true in your app settings.

macaron.go.patch.txt

[tgurr]

@rodolpheh Thanks for the hint, I couldn't apply your patch, probably because I build from source so I had no /routers/routes/macaron.go b/routers/routes/macaron.go file to begin with.

Based on your patch I went with this: gitea-1.13.1-lang-cookie.txt. Not sure if it's ready for a PR like it is, but it appears to do the trick: