summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLefsFlare <LefsFlarey@users.noreply.github.com>2016-11-12 20:26:45 +0800
committerThibault Meyer <0xbaadf00d@users.noreply.github.com>2016-11-12 13:26:45 +0100
commit3ef022b0713aa1356b21a879c4e7140670078b57 (patch)
treebb64a58d62dabd5b56b5b6ac435cd890d3e37957
parent3dedc027accc3f696a2cb08967177d770fe976de (diff)
downloadgitea-3ef022b0713aa1356b21a879c4e7140670078b57.tar.gz
gitea-3ef022b0713aa1356b21a879c4e7140670078b57.zip
Fixes possible vulnerabilities with keyword hijacking (#20)
- Added public entries to reserved keywords list - Rename variables - Derped comment
-rw-r--r--models/user.go8
1 files changed, 4 insertions, 4 deletions
diff --git a/models/user.go b/models/user.go
index 8d73e180f0..d97ced931a 100644
--- a/models/user.go
+++ b/models/user.go
@@ -505,12 +505,12 @@ func NewGhostUser() *User {
}
var (
- reversedUsernames = []string{"debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
- reversedUserPatterns = []string{"*.keys"}
+ reservedUsernames = []string{"assets", "css", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
+ reservedUserPatterns = []string{"*.keys"}
)
// isUsableName checks if name is reserved or pattern of name is not allowed
-// based on given reversed names and patterns.
+// based on given reserved names and patterns.
// Names are exact match, patterns can be prefix or suffix match with placeholder '*'.
func isUsableName(names, patterns []string, name string) error {
name = strings.TrimSpace(strings.ToLower(name))
@@ -535,7 +535,7 @@ func isUsableName(names, patterns []string, name string) error {
}
func IsUsableUsername(name string) error {
- return isUsableName(reversedUsernames, reversedUserPatterns, name)
+ return isUsableName(reservedUsernames, reservedUserPatterns, name)
}
// CreateUser creates record of a new user.