diff options
| author | wxiaoguang <wxiaoguang@gmail.com> | 2021-11-20 17:34:05 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-20 17:34:05 +0800 |
| commit | 013fb73068281b45b33c72abaae0c42c8d79c499 (patch) | |
| tree | 5cb710ea15a6f471648ecf19e2fdfab9804cb084 /routers/api/v1 | |
| parent | c96be0cd982255f20a3fe6ff4683115b8073e65e (diff) | |
| download | gitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip | |
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist.
And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
Diffstat (limited to 'routers/api/v1')
| -rw-r--r-- | routers/api/v1/repo/migrate.go | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go index 1880a88367..767972ee98 100644 --- a/routers/api/v1/repo/migrate.go +++ b/routers/api/v1/repo/migrate.go @@ -253,10 +253,8 @@ func handleRemoteAddrError(ctx *context.APIContext, err error) { case addrErr.IsPermissionDenied: if addrErr.LocalPath { ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import local repositories.") - } else if len(addrErr.PrivateNet) == 0 { - ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from blocked hosts.") } else { - ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from private IPs.") + ctx.Error(http.StatusUnprocessableEntity, "", "You can not import from disallowed hosts.") } case addrErr.IsInvalidPath: ctx.Error(http.StatusUnprocessableEntity, "", "Invalid local path, it does not exist or not a directory.") |