Filippo Valsorda :go: on Nostr: A PSA since there's some confusion on this... There is no vulnerability in Gorilla ...
A PSA since there's some confusion on this...
There is no vulnerability in Gorilla Sessions.
The vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.
There is no vulnerability in Gorilla Sessions.
The vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.