summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author6543 <24977596+6543@users.noreply.github.com>2019-11-03 15:51:32 +0100
committerLunny Xiao <xiaolunwen@gmail.com>2019-11-03 22:51:32 +0800
commitc5e5063ec9e739870045b9bb7195575fb1d686e4 (patch)
treef6dbdc858b60fb789e8a44ffc4c444be60bc527d
parentb040a87665b0dfbfc0573ed2cd4d0db277abcd45 (diff)
downloadgitea-c5e5063ec9e739870045b9bb7195575fb1d686e4.tar.gz
gitea-c5e5063ec9e739870045b9bb7195575fb1d686e4.zip
Fix SSH2 conditonal in key parsing code (#8806) (#8810)
Avoid out of bounds error by using strings.HasPrefix to check for starting SSH2 text rather than assuming user input has at least 31 characters. Add tests for bad input as well. Fixes #8800
Diffstat
-rw-r--r--models/ssh_key.go2
-rw-r--r--models/ssh_key_test.go13
2 files changed, 14 insertions, 1 deletions
diff --git a/models/ssh_key.go b/models/ssh_key.go
index d1132bf0c6..edc6d45cd8 100644
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -107,7 +107,7 @@ func parseKeyString(content string) (string, error) {
var keyType, keyContent, keyComment string
- if content[:len(ssh2keyStart)] == ssh2keyStart {
+ if strings.HasPrefix(content, ssh2keyStart) {
// Parse SSH2 file format.
// Transform all legal line endings to a single "\n".
diff --git a/models/ssh_key_test.go b/models/ssh_key_test.go
index 4bb612a671..95cd4eeb1a 100644
--- a/models/ssh_key_test.go
+++ b/models/ssh_key_test.go
@@ -131,6 +131,19 @@ AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf
_, err := CheckPublicKeyString(test.content)
assert.NoError(t, err)
}
+
+ for _, invalidKeys := range []struct {
+ content string
+ }{
+ {"test"},
+ {"---- NOT A REAL KEY ----"},
+ {"bad\nkey"},
+ {"\t\t:)\t\r\n"},
+ {"\r\ntest \r\ngitea\r\n\r\n"},
+ } {
+ _, err := CheckPublicKeyString(invalidKeys.content)
+ assert.Error(t, err)
+ }
}
func Test_calcFingerprint(t *testing.T) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-11 04:27:55 +0000