New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF validation errors when OAuth is not enabled #30923
Labels
Comments
Forgot to make a complete solution in 1.22 .... will do it. |
-> Introduce general web secret #30929 |
wxiaoguang
added a commit
that referenced
this issue
May 14, 2024
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this issue
May 14, 2024
lunny
pushed a commit
that referenced
this issue
May 14, 2024
Backport #30942 by @wxiaoguang Fix #30923 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
When upgrading to 1.21, we began experiencing sporadic CSRF validation errors on form submissions. We run a multi-container Docker setup, and found this issue only happened when the container that issued the CSRF token was not the same container that handled the form submission. In investigating the container logs, we found the following log line which seems to be the root cause:
It is possible to reproduce without multiple containers, using the following steps:
It appears this log message, and the change to CSRF token generation was introduced in #29205
Gitea Version
1.21.11
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Multi-container Docker
Database
None
The text was updated successfully, but these errors were encountered: