diff options
| author | Unknwon <u@gogs.io> | 2015-12-14 17:06:54 -0500 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2015-12-14 17:06:54 -0500 |
| commit | 3362b3a44f9f4e0e482b08151e298f7809eefc59 (patch) | |
| tree | 1cc06a33b090f888e1f3e386b572dda0d609cb7e /routers/repo/pull.go | |
| parent | 50264200f04d227ce5e36792cb7b951789693570 (diff) | |
| download | gitea-3362b3a44f9f4e0e482b08151e298f7809eefc59.tar.gz gitea-3362b3a44f9f4e0e482b08151e298f7809eefc59.zip | |
fix possible disclosure
Diffstat (limited to 'routers/repo/pull.go')
| -rw-r--r-- | routers/repo/pull.go | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/routers/repo/pull.go b/routers/repo/pull.go index d0c1cb6703..38a4c47029 100644 --- a/routers/repo/pull.go +++ b/routers/repo/pull.go @@ -6,7 +6,6 @@ package repo import ( "container/list" - "errors" "path" "strings" @@ -644,17 +643,24 @@ func CompareAndPullRequestPost(ctx *middleware.Context, form auth.CreateIssueFor } func TriggerTask(ctx *middleware.Context) { - _, repo := parseOwnerAndRepo(ctx) + branch := ctx.Query("branch") + secret := ctx.Query("secret") + if len(branch) == 0 || len(secret) == 0 { + ctx.Error(404) + log.Trace("TriggerTask: branch or secret is empty") + return + } + owner, repo := parseOwnerAndRepo(ctx) if ctx.Written() { return } - branch := ctx.Query("branch") - if len(branch) == 0 { - ctx.Handle(422, "TriggerTask", errors.New("branch is empty")) + if secret != base.EncodeMD5(owner.Salt) { + ctx.Error(404) + log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name) return } - log.Trace("TriggerTask[%d].(new request): %s", repo.ID, branch) + log.Trace("TriggerTask [%d].(new request): %s", repo.ID, branch) go models.HookQueue.Add(repo.ID) go models.AddTestPullRequestTask(repo.ID, branch) |