diff options
author | KN4CK3R <admin@oldschoolhack.me> | 2022-10-22 15:36:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-22 21:36:44 +0800 |
commit | 154efa59a5a837d8375c09fb0b18a1b63bea6a3a (patch) | |
tree | d12951a4ac49270255a0b9050fa3ddfd7aaab34f /services/lfs | |
parent | 69fcca2d4564f706fa41280895e3a20d81740598 (diff) | |
download | gitea-154efa59a5a837d8375c09fb0b18a1b63bea6a3a.tar.gz gitea-154efa59a5a837d8375c09fb0b18a1b63bea6a3a.zip |
Prevent Authorization header for presigned LFS urls (#21531)
Fixes #21525
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'services/lfs')
-rw-r--r-- | services/lfs/server.go | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/services/lfs/server.go b/services/lfs/server.go index b868db39db..830112fac6 100644 --- a/services/lfs/server.go +++ b/services/lfs/server.go @@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa } if download { - rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header} + var link *lfs_module.Link if setting.LFS.ServeDirect { // If we have a signed url (S3, object storage), redirect to this directly. u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid) if u != nil && err == nil { - rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header} + // Presigned url does not need the Authorization header + // https://github.com/go-gitea/gitea/issues/21525 + delete(header, "Authorization") + link = &lfs_module.Link{Href: u.String(), Header: header} } } + if link == nil { + link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header} + } + rep.Actions["download"] = link } if upload { rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header} |