aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKN4CK3R <admin@oldschoolhack.me>2022-10-22 15:36:44 +0200
committerGitHub <noreply@github.com>2022-10-22 21:36:44 +0800
commit154efa59a5a837d8375c09fb0b18a1b63bea6a3a (patch)
treed12951a4ac49270255a0b9050fa3ddfd7aaab34f
parent69fcca2d4564f706fa41280895e3a20d81740598 (diff)
downloadgitea-154efa59a5a837d8375c09fb0b18a1b63bea6a3a.tar.gz
gitea-154efa59a5a837d8375c09fb0b18a1b63bea6a3a.zip
Prevent Authorization header for presigned LFS urls (#21531)
Fixes #21525 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
-rw-r--r--services/lfs/server.go11
1 files changed, 9 insertions, 2 deletions
diff --git a/services/lfs/server.go b/services/lfs/server.go
index b868db39db..830112fac6 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa
}
if download {
- rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
+ var link *lfs_module.Link
if setting.LFS.ServeDirect {
// If we have a signed url (S3, object storage), redirect to this directly.
u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid)
if u != nil && err == nil {
- rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header}
+ // Presigned url does not need the Authorization header
+ // https://github.com/go-gitea/gitea/issues/21525
+ delete(header, "Authorization")
+ link = &lfs_module.Link{Href: u.String(), Header: header}
}
}
+ if link == nil {
+ link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
+ }
+ rep.Actions["download"] = link
}
if upload {
rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}