Handle base64 decoding correctly to avoid panic (#26483)

Fix the panic if the "base64 secret" is too long.
2025-07-05 18:17:19 +00:00 · 2023-08-14 18:30:16 +08:00
parent cafce3b4b5
commit ed1be4ca68
8 changed files with 43 additions and 30 deletions
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@ -10,6 +10,7 @@ import (

 	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 )

 // OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
@ -129,21 +130,19 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 	}

 	if InstallLock {
-		key := make([]byte, 32)
-		n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64))
-		if err != nil || n != 32 {
-			key, err = generate.NewJwtSecret()
+		if _, err := util.Base64FixedDecode(base64.RawURLEncoding, []byte(OAuth2.JWTSecretBase64), 32); err != nil {
+			key, err := generate.NewJwtSecret()
 			if err != nil {
 				log.Fatal("error generating JWT secret: %v", err)
 			}

-			secretBase64 := base64.RawURLEncoding.EncodeToString(key)
+			OAuth2.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(key)
 			saveCfg, err := rootCfg.PrepareSaving()
 			if err != nil {
 				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
 			}
-			rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
-			saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
+			rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
+			saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
 			if err := saveCfg.Save(); err != nil {
 				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
 			}