summaryrefslogtreecommitdiffstats
path: root/modules/lfs/http_client.go
diff options
context:
space:
mode:
authorwxiaoguang <wxiaoguang@gmail.com>2021-11-20 17:34:05 +0800
committerGitHub <noreply@github.com>2021-11-20 17:34:05 +0800
commit013fb73068281b45b33c72abaae0c42c8d79c499 (patch)
tree5cb710ea15a6f471648ecf19e2fdfab9804cb084 /modules/lfs/http_client.go
parentc96be0cd982255f20a3fe6ff4683115b8073e65e (diff)
downloadgitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz
gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
Diffstat (limited to 'modules/lfs/http_client.go')
-rw-r--r--modules/lfs/http_client.go14
1 files changed, 8 insertions, 6 deletions
diff --git a/modules/lfs/http_client.go b/modules/lfs/http_client.go
index 5df5ed33a9..a1a3e7f363 100644
--- a/modules/lfs/http_client.go
+++ b/modules/lfs/http_client.go
@@ -7,7 +7,6 @@ package lfs
import (
"bytes"
"context"
- "crypto/tls"
"errors"
"fmt"
"net/http"
@@ -34,12 +33,15 @@ func (c *HTTPClient) BatchSize() int {
return batchSize
}
-func newHTTPClient(endpoint *url.URL, skipTLSVerify bool) *HTTPClient {
+func newHTTPClient(endpoint *url.URL, httpTransport *http.Transport) *HTTPClient {
+ if httpTransport == nil {
+ httpTransport = &http.Transport{
+ Proxy: proxy.Proxy(),
+ }
+ }
+
hc := &http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
- Proxy: proxy.Proxy(),
- },
+ Transport: httpTransport,
}
client := &HTTPClient{