]> source.dussan.org Git - gitea.git/commitdiff
projects / gitea.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3fd060e)
Disallow urlencoded new lines in git protocol paths if there is a port (#13521)
authorzeripath <art27@cantab.net>
Wed, 11 Nov 2020 20:34:16 +0000 (20:34 +0000)
committerGitHub <noreply@github.com>
Wed, 11 Nov 2020 20:34:16 +0000 (20:34 +0000)
Signed-off-by: Andrew Thornton <art27@cantab.net>
modules/auth/repo_form.go patch | blob | history

diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
index 039b0cb583a09073ba7e05ad279a89a163b91781..f27812bb1b964c5e3b8e64db7843bbaf7063df53 100644 (file)
--- a/modules/auth/repo_form.go
+++ b/modules/auth/repo_form.go
@@ -102,6 +102,9 @@ func ParseRemoteAddr(remoteAddr, authUsername, authPassword string, user *models
                        u.User = url.UserPassword(authUsername, authPassword)
                }
                remoteAddr = u.String()
+               if u.Scheme == "git" && u.Port() != "" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+                       return "", models.ErrInvalidCloneAddr{IsURLError: true}
+               }
        } else if !user.CanImportLocal() {
                return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true}
        } else if !com.IsDir(remoteAddr) {
Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea