Gogs 0.11.53 is released


#1

Hello everyone,

Hope you have pleasant experiences with Gogs so far!

We’re glad to announce that Gogs 0.11.53 is released!

You can find binary downloads in the usual place.

The change log is available at GitHub.

Please enjoy and happy coding!


#2

Hi there,

for me it broke LDAP authentication with a 500 error, though local is still working.

2018/06/05 18:08:00 [TRACE] Session ID: 316f319a52fa145f
2018/06/05 18:08:00 [TRACE] CSRF Token: 1xBBvJddJ5RTcvLf3_kUZMR0O-U6MTUyODIxNDUxNzA1NTE0NzUxOQ==
2018/06/05 18:08:00 [TRACE] LDAP: Dialing with security protocol '0' without verifying: false
2018/06/05 18:08:00 [TRACE] LDAP will use BindDN
2018/06/05 18:08:00 [TRACE] Search for LDAP user: Peter
2018/06/05 18:08:00 [TRACE] LDAP: Bound as BindDN: CN=AD-Git,OU=Daemon,OU=Accounts,DC=contoso,DC=com
2018/06/05 18:08:00 [TRACE] LDAP: Searching for DN using filter '(&(objectClass=User)(sAMAccountName=Peter)(memberof=CN=Git_Gogs_Users,OU=GitVCS,OU=Web_Applications,OU=Groups,DC=contoso,DC=com))' and base 'OU=Accounts,DC=contoso,DC=com'
2018/06/05 18:08:00 [TRACE] Fetching attributes '', 'givenName', 'sn', 'mail', '' with filter '(&(objectClass=User)(sAMAccountName=Peter)(memberof=CN=Git_Gogs_Users,OU=GitVCS,OU=Web_Applications,OU=Groups,DC=contoso,DC=com))' and base 'CN=Peter,OU=C1_users,OU=Accounts,DC=contoso,DC=com'
2018/06/05 18:08:00 [TRACE] Checking admin with filter '(&(objectClass=user)(memberof=CN=Git_Gogs_Admins,OU=GitVCS,OU=Web_Applications,OU=Groups,DC=contoso,DC=com))' and base 'CN=Peter,OU=C1_users,OU=Accounts,DC=contoso,DC=com'
2018/06/05 18:08:00 [TRACE] Binding with userDN: CN=Peter,OU=C1_users,OU=Accounts,DC=contoso,DC=com
2018/06/05 18:08:00 [TRACE] Bound successfully with userDN: CN=Peter,OU=C1_users,OU=Accounts,DC=contoso,DC=com
2018/06/05 18:08:00 [ERROR] [...g/context/context.go:171 ServerError()] UserLogin: e-mail has been used [email: mary@contoso.com]
2018/06/05 18:08:00 [TRACE] Template: status/500

Did the LDAP binding need updating? Am I missing something (preferred answer)?

Cheers,

Pel


#3

The bind logic has not changed, the only thing differs from last release in terms of LDAP is now user chooses which authentication source it wants to use. From the error you post it would exist for any other version. The user tries to login as if it’s his first time but the email returned from LDAP search has been used.


#4

OK. Disclaimer: I work in IT and have done for years. Sometimes you miss a thing or two. Turns out Peter didn’t know his password (or failed to type it correctly). Flame if you wish.

However, it’s not quite right that the auth fail triggers a 500 error. After all, the application behaved correctly and denied access based on the credentials provided. Although it’s not a big deal and providing differing error pages could contribute to brute forcability, I would very much like [the users] to see an access denied page upon login failure. Is this on the planning board, by any chance?

Cheers,

Pel


#5

Currently Gogs doesn’t have audit logs.

Could you please open two issues on GitHub:

  1. Suggest add audit log for failed logins on admin panel
  2. Suggest detect the error “email used” and response to user instead of 500

#6

Sure thing! Might be tomorrow as I need to take care of some other matters this evening. Thanks anyhow!

Cheers,

Pel


#7

Is packager.io still maintained? It’s listed in the docs, but the packages seem to be updated more or less randomly (https://packager.io/gh/pkgr/gogs)


#8

I’m not maintainer of that… I’ll remove the link from website


#9

This topic was automatically closed after 3 days. New replies are no longer allowed.