summaryrefslogtreecommitdiffstats
path: root/routers
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2019-01-04 16:08:26 +0000
committertechknowlogick <hello@techknowlogick.com>2019-01-04 11:08:26 -0500
commitfd1e8563f8713265df2e402e9387e0964efc42e2 (patch)
tree0f98747db11594a580f0dfbd16393e6e73e10246 /routers
parent5a1ea37f577e5f085e122593ccbd7cd9e23a8f65 (diff)
downloadgitea-fd1e8563f8713265df2e402e9387e0964efc42e2.tar.gz
gitea-fd1e8563f8713265df2e402e9387e0964efc42e2.zip
SECURITY: protect DeleteFilePost et al with cleanUploadFileName (#5631)
This commit wraps more of the TreePaths with cleanUploadFileName Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'routers')
-rw-r--r--routers/repo/editor.go20
1 files changed, 18 insertions, 2 deletions
diff --git a/routers/repo/editor.go b/routers/repo/editor.go
index f64b0002ae..4e3557dbb2 100644
--- a/routers/repo/editor.go
+++ b/routers/repo/editor.go
@@ -163,7 +163,11 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
branchName = form.NewBranchName
}
- form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
+ form.TreePath = cleanUploadFileName(form.TreePath)
+ if len(form.TreePath) == 0 {
+ ctx.Error(500, "Upload file name is invalid")
+ return
+ }
treeNames, treePaths := getParentTreeFields(form.TreePath)
ctx.Data["TreePath"] = form.TreePath
@@ -373,6 +377,13 @@ func DeleteFile(ctx *context.Context) {
func DeleteFilePost(ctx *context.Context, form auth.DeleteRepoFileForm) {
ctx.Data["PageIsDelete"] = true
ctx.Data["BranchLink"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
+
+ ctx.Repo.TreePath = cleanUploadFileName(ctx.Repo.TreePath)
+ if len(ctx.Repo.TreePath) == 0 {
+ ctx.Error(500, "Delete file name is invalid")
+ return
+ }
+
ctx.Data["TreePath"] = ctx.Repo.TreePath
canCommit := renderCommitRights(ctx)
@@ -477,7 +488,12 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
branchName = form.NewBranchName
}
- form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
+ form.TreePath = cleanUploadFileName(form.TreePath)
+ if len(form.TreePath) == 0 {
+ ctx.Error(500, "Upload file name is invalid")
+ return
+ }
+
treeNames, treePaths := getParentTreeFields(form.TreePath)
if len(treeNames) == 0 {
// We must at least have one element for user to input.