diff options
author | zeripath <art27@cantab.net> | 2020-11-11 20:34:16 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-11 20:34:16 +0000 |
commit | 5d932b35ca4ef56525b815961d7f4f48a5119875 (patch) | |
tree | 73de52928a0155866f6434db52bb122886299e9f /modules/auth | |
parent | 3fd060eb37085df9b075baf23f3c315b92c1073e (diff) | |
download | gitea-5d932b35ca4ef56525b815961d7f4f48a5119875.tar.gz gitea-5d932b35ca4ef56525b815961d7f4f48a5119875.zip |
Disallow urlencoded new lines in git protocol paths if there is a port (#13521)
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/auth')
-rw-r--r-- | modules/auth/repo_form.go | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go index 039b0cb583..f27812bb1b 100644 --- a/modules/auth/repo_form.go +++ b/modules/auth/repo_form.go @@ -102,6 +102,9 @@ func ParseRemoteAddr(remoteAddr, authUsername, authPassword string, user *models u.User = url.UserPassword(authUsername, authPassword) } remoteAddr = u.String() + if u.Scheme == "git" && u.Port() != "" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) { + return "", models.ErrInvalidCloneAddr{IsURLError: true} + } } else if !user.CanImportLocal() { return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true} } else if !com.IsDir(remoteAddr) { |