diff options
| author | Giteabot <teabot@gitea.io> | 2023-10-06 22:51:26 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-06 16:51:26 +0200 |
| commit | 5b670d83e1a2edc05c3f94b59bc99b9acd2c1023 (patch) | |
| tree | 4afdc51e5d18f81dd77b1ded77f5204dcee478a8 /playwright.config.js | |
| parent | 9207331f4dad9ac767915b8abc7a119d5d6bce1c (diff) | |
| download | gitea-1.21.0-rc1.tar.gz gitea-1.21.0-rc1.zip | |
Fix panic in storageHandler (#27446) (#27479)v1.21.0-rc1
Backport #27446 by @sryze
storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).
Example CURL command to trigger the panic:
```
curl -I "http://yourhost/gitea//avatars/a"
```
Fixes #27409
---
Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.
Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)
Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
Diffstat (limited to 'playwright.config.js')
0 files changed, 0 insertions, 0 deletions