USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

repo/editor: disallow editing symlink while changing file name (#7857) 

## Describe the pull request

Link to the issue: https://github.com/gogs/gogs/issues/7582
release/0.13
Joe Chen 2024-12-08 21:12:55 -05:00
parent b89da2f6eb
commit 40cb106198
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
internal/route/repo/editor.go
View File

@ -192,6 +192,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
return return
} }
} else { } else {
// 🚨 SECURITY: Do not allow editing if the target file is a symlink.
if entry.IsSymlink() { if entry.IsSymlink() {
c.FormErr("TreePath") c.FormErr("TreePath")
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f) c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
@ -205,7 +206,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
} }
if !isNewFile { if !isNewFile {
_, err := c.Repo.Commit.TreeEntry(oldTreePath) entry, err := c.Repo.Commit.TreeEntry(oldTreePath)
if err != nil { if err != nil {
if gitutil.IsErrRevisionNotExist(err) { if gitutil.IsErrRevisionNotExist(err) {
c.FormErr("TreePath") c.FormErr("TreePath")
@ -215,6 +216,14 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
} }
return return
} }
// 🚨 SECURITY: Do not allow editing if the old file is a symlink.
if entry.IsSymlink() {
c.FormErr("TreePath")
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", oldTreePath), tmplEditorEdit, &f)
return
}
if lastCommit != c.Repo.CommitID { if lastCommit != c.Repo.CommitID {
files, err := c.Repo.Commit.FilesChangedAfter(lastCommit) files, err := c.Repo.Commit.FilesChangedAfter(lastCommit)
if err != nil { if err != nil {