diff options
| author | Giteabot <teabot@gitea.io> | 2023-11-14 07:03:56 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-14 00:03:56 +0100 |
| commit | 69ea554e2362e5c4943c2463c2ec547bf631f18b (patch) | |
| tree | c1edf3adee273eabf3b706d4c8901129fd915593 | |
| parent | c077a084d7bac8acc1bd247b2bd3d60835a17ded (diff) | |
| download | gitea-69ea554e2362e5c4943c2463c2ec547bf631f18b.tar.gz gitea-69ea554e2362e5c4943c2463c2ec547bf631f18b.zip | |
Dont leak private users via extensions (#28023) (#28028)
Backport #28023 by @6543
there was no check in place if a user could see a other user, if you
append e.g. `.rss`
| -rw-r--r-- | routers/web/user/home.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/routers/web/user/home.go b/routers/web/user/home.go index 3a7630fb32..1dfbafafa7 100644 --- a/routers/web/user/home.go +++ b/routers/web/user/home.go @@ -821,6 +821,11 @@ func UsernameSubRoute(ctx *context.Context) { reloadParam := func(suffix string) (success bool) { ctx.SetParams("username", strings.TrimSuffix(username, suffix)) context_service.UserAssignmentWeb()(ctx) + // check view permissions + if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) { + ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name)) + return false + } return !ctx.Written() } switch { |