vendor: update github.com/go-macaron/session (#5469)

Fix security flaw reported by c957861129d62331c5704d2f04d11e41.

gogs.go

@@ -16,7 +16,7 @@ import (
 	"github.com/gogs/gogs/pkg/setting"
 )
 
-const APP_VER = "0.11.68.1023"
+const APP_VER = "0.11.69.1024"
 
 func init() {
 	setting.AppVer = APP_VER

templates/.VERSION

@@ -1 +1 @@
-0.11.68.1023
+0.11.69.1024

vendor/github.com/go-macaron/session/README.md

@@ -4,6 +4,8 @@ Middleware session provides session management for [Macaron](https://github.com/
 
 ### Installation
 
+The minimum requirement of Go is 1.6 (*1.7 if using Redis, 1.8 if using MySQL*).
+
 	go get github.com/go-macaron/session
 	
 ## Getting Help

vendor/github.com/go-macaron/session/session.go

@@ -18,15 +18,17 @@ package session
 
 import (
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"gopkg.in/macaron.v1"
 )
 
-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"
 
 func Version() string {
 	return _VERSION
@@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
 	return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
 }
 
-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
+func (m *Manager) sessionID() string {
 	return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
 }
 
@@ -258,7 +260,7 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 		return m.provider.Read(sid)
 	}
 
-	sid = m.sessionId()
+	sid = m.sessionID()
 	sess, err := m.provider.Read(sid)
 	if err != nil {
 		return nil, err
@@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 
 // Read returns raw session store by session ID.
 func (m *Manager) Read(sid string) (RawStore, error) {
+	// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+	// See https://github.com/gogs/gogs/issues/5469
+	if strings.ContainsAny(sid, "./") {
+		return nil, errors.New("invalid 'sid': " + sid)
+	}
+
 	return m.provider.Read(sid)
 }
 
@@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {
 
 // RegenerateId regenerates a session store from old session ID to new one.
 func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
-	sid := m.sessionId()
+	sid := m.sessionID()
 	oldsid := ctx.GetCookie(m.opt.CookieName)
 	sess, err = m.provider.Regenerate(oldsid, sid)
 	if err != nil {

vendor/vendor.json

@@ -135,10 +135,10 @@
 			"revisionTime": "2016-06-27T17:00:12Z"
 		},
 		{
-			"checksumSHA1": "gO0dj0NqsmBTkf4D0JzJDtOEx+U=",
+			"checksumSHA1": "DsbAcljMg4dSIIf6N/RJEJY6nTk=",
 			"path": "github.com/go-macaron/session",
-			"revision": "b8e286a0dba8f4999042d6b258daf51b31d08938",
-			"revisionTime": "2017-03-20T17:22:09Z"
+			"revision": "487775536c781f5fd19b36c9421b79ba2b8a119d",
+			"revisionTime": "2018-10-24T13:41:25Z"
 		},
 		{
 			"checksumSHA1": "jVW5CmzplA0UDjai0AFYJFVXAJk=",