USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

repo/editor: disallow editing symlink while changing file name (#7857) 

## Describe the pull request

Link to the issue: https://github.com/gogs/gogs/issues/7582
pull/7858/head
Joe Chen 2024-12-08 21:12:55 -05:00 committed by GitHub
parent 25a799ad63
commit c94baec9ca
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
internal/route/repo/editor.go
View File

@ -192,6 +192,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
return
}
} else {
// 🚨 SECURITY: Do not allow editing if the target file is a symlink.
if entry.IsSymlink() {
c.FormErr("TreePath")
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
@ -205,7 +206,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
}
if !isNewFile {
_, err := c.Repo.Commit.TreeEntry(oldTreePath)
entry, err := c.Repo.Commit.TreeEntry(oldTreePath)
if err != nil {
if gitutil.IsErrRevisionNotExist(err) {
c.FormErr("TreePath")
@ -215,6 +216,14 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
}
return
}
// 🚨 SECURITY: Do not allow editing if the old file is a symlink.
if entry.IsSymlink() {
c.FormErr("TreePath")
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", oldTreePath), tmplEditorEdit, &f)
return
}
if lastCommit != c.Repo.CommitID {
files, err := c.Repo.Commit.FilesChangedAfter(lastCommit)
if err != nil {