]> source.dussan.org Git - gitea.git/commitdiff
projects / gitea.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d412271)
Dont leak private users via extensions (#28023) (#28029)
authorGiteabot <teabot@gitea.io>
Mon, 13 Nov 2023 23:03:42 +0000 (07:03 +0800)
committerGitHub <noreply@github.com>
Mon, 13 Nov 2023 23:03:42 +0000 (00:03 +0100)
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`

routers/web/user/home.go patch | blob | history

diff --git a/routers/web/user/home.go b/routers/web/user/home.go
index 76b9262eada5cad6ab58e98d16983264c9caf690..d0d24d7ed1031d3a8374bd45a32af7de41e863e9 100644 (file)
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -822,6 +822,11 @@ func UsernameSubRoute(ctx *context.Context) {
        reloadParam := func(suffix string) (success bool) {
                ctx.SetParams("username", strings.TrimSuffix(username, suffix))
                context_service.UserAssignmentWeb()(ctx)
+               // check view permissions
+               if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
+                       ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
+                       return false
+               }
                return !ctx.Written()
        }
        switch {
Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea