aboutsummaryrefslogtreecommitdiffstats
path: root/modules/auth
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2020-11-11 20:34:16 +0000
committerGitHub <noreply@github.com>2020-11-11 20:34:16 +0000
commit5d932b35ca4ef56525b815961d7f4f48a5119875 (patch)
tree73de52928a0155866f6434db52bb122886299e9f /modules/auth
parent3fd060eb37085df9b075baf23f3c315b92c1073e (diff)
downloadgitea-5d932b35ca4ef56525b815961d7f4f48a5119875.tar.gz
gitea-5d932b35ca4ef56525b815961d7f4f48a5119875.zip
Disallow urlencoded new lines in git protocol paths if there is a port (#13521)
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/auth')
-rw-r--r--modules/auth/repo_form.go3
1 files changed, 3 insertions, 0 deletions
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
index 039b0cb583..f27812bb1b 100644
--- a/modules/auth/repo_form.go
+++ b/modules/auth/repo_form.go
@@ -102,6 +102,9 @@ func ParseRemoteAddr(remoteAddr, authUsername, authPassword string, user *models
u.User = url.UserPassword(authUsername, authPassword)
}
remoteAddr = u.String()
+ if u.Scheme == "git" && u.Port() != "" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+ return "", models.ErrInvalidCloneAddr{IsURLError: true}
+ }
} else if !user.CanImportLocal() {
return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true}
} else if !com.IsDir(remoteAddr) {