USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: clean request path from Git endpoints (#7022)

pull/7024/head
Joe Chen 2022-06-07 21:11:36 +08:00 committed by GitHub
parent e3706575d5
commit 9bf748b6c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -26,6 +26,7 @@ All notable changes to Gogs are documented in this file.
- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
- _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009)
- _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001)
- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002)
- Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
- Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
- Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)

4
internal/pathutil/pathutil_test.go
View File

@ -27,6 +27,10 @@ func TestClean(t *testing.T) {
path: "/../a/b/../c/../readme.txt",
wantVal: "a/readme.txt",
},
{
path: "../../objects/info/..",
wantVal: "objects",
},
{
path: "/a/readme.txt",
wantVal: "a/readme.txt",

17
internal/route/repo/http.go
View File

@ -24,6 +24,7 @@ import (
"gogs.io/gogs/internal/conf"
"gogs.io/gogs/internal/db"
"gogs.io/gogs/internal/lazyregexp"
"gogs.io/gogs/internal/pathutil"
"gogs.io/gogs/internal/tool"
)
@ -408,15 +409,21 @@ func HTTP(c *HTTPContext) {
}
if route.method != c.Req.Method {
c.NotFound()
c.Error(http.StatusNotFound)
return
}
file := strings.TrimPrefix(reqPath, m[1]+"/")
dir, err := getGitRepoPath(m[1])
cleaned := pathutil.Clean(m[1])
if m[1] != "/"+cleaned {
c.Error(http.StatusBadRequest, "Request path contains suspicious characters")
return
}
file := strings.TrimPrefix(reqPath, cleaned)
dir, err := getGitRepoPath(cleaned)
if err != nil {
log.Warn("HTTP.getGitRepoPath: %v", err)
c.NotFound()
c.Error(http.StatusNotFound)
return
}
@ -435,5 +442,5 @@ func HTTP(c *HTTPContext) {
return
}
c.NotFound()
c.Error(http.StatusNotFound)
}