From ccbb98acd9bba68ad3edce10deb02ddbf1543564 Mon Sep 17 00:00:00 2001
From: Hedi Harzallah <hedi.harzallah@gmail.com>
Date: Thu, 9 Sep 2021 13:12:29 +0200
Subject: [PATCH] fix(1356): test if session variable is null (#1357)

* fix(1356): test if session variable is null

* fix(1356): adding changelog

Co-authored-by: Hedi Harzallah <hharzalla@talend.com>
---
 CHANGELOG.md                    | 1 +
 pkg/middleware/basic_session.go | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ac39d61..dc1f773a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@
 - [#1244](https://github.com/oauth2-proxy/oauth2-proxy/pull/1244) Update Alpine image version to 3.14 (@ahovgaard)
 - [#1317](https://github.com/oauth2-proxy/oauth2-proxy/pull/1317) Fix incorrect `</form>` tag on the sing_in page when *not* using a custom template (@jord1e)
 - [#1330](https://github.com/oauth2-proxy/oauth2-proxy/pull/1330) Allow specifying URL as input for custom sign in logo (@MaikuMori)
+- [#1357](https://github.com/oauth2-proxy/oauth2-proxy/pull/1357) Fix unsafe access to session variable (@harzallah)
 
 # V7.1.3
 
diff --git a/pkg/middleware/basic_session.go b/pkg/middleware/basic_session.go
index a6e92faa..71b822c0 100644
--- a/pkg/middleware/basic_session.go
+++ b/pkg/middleware/basic_session.go
@@ -31,7 +31,9 @@ func loadBasicAuthSession(validator basic.Validator, sessionGroups []string, pre
 	if preferEmail {
 		getSession = func(validator basic.Validator, sessionGroups []string, req *http.Request) (*sessionsapi.SessionState, error) {
 			session, err := getBasicSession(validator, sessionGroups, req)
-			session.Email = session.User
+			if session != nil {
+				session.Email = session.User
+			}
 			return session, err
 		}
 	}