diff options
author | wxiaoguang <wxiaoguang@gmail.com> | 2021-11-20 17:34:05 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-20 17:34:05 +0800 |
commit | 013fb73068281b45b33c72abaae0c42c8d79c499 (patch) | |
tree | 5cb710ea15a6f471648ecf19e2fdfab9804cb084 /modules/lfs/http_client.go | |
parent | c96be0cd982255f20a3fe6ff4683115b8073e65e (diff) | |
download | gitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip |
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist.
And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
Diffstat (limited to 'modules/lfs/http_client.go')
-rw-r--r-- | modules/lfs/http_client.go | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/modules/lfs/http_client.go b/modules/lfs/http_client.go index 5df5ed33a9..a1a3e7f363 100644 --- a/modules/lfs/http_client.go +++ b/modules/lfs/http_client.go @@ -7,7 +7,6 @@ package lfs import ( "bytes" "context" - "crypto/tls" "errors" "fmt" "net/http" @@ -34,12 +33,15 @@ func (c *HTTPClient) BatchSize() int { return batchSize } -func newHTTPClient(endpoint *url.URL, skipTLSVerify bool) *HTTPClient { +func newHTTPClient(endpoint *url.URL, httpTransport *http.Transport) *HTTPClient { + if httpTransport == nil { + httpTransport = &http.Transport{ + Proxy: proxy.Proxy(), + } + } + hc := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify}, - Proxy: proxy.Proxy(), - }, + Transport: httpTransport, } client := &HTTPClient{ |