From d62ab499784386935fa20152c1c163d0ef62d31a Mon Sep 17 00:00:00 2001 From: Unknwon Date: Fri, 8 Jul 2016 13:57:09 +0800 Subject: #3057 retrieve webhook with repo_id This prevents user retrieve arbitrary webhook by changing URL to access webhook from other unauthorized repositories. --- README.md | 2 +- gogs.go | 2 +- models/webhook.go | 8 ++++---- routers/api/v1/repo/hook.go | 2 +- routers/repo/webhook.go | 2 +- templates/.VERSION | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index e51f5c4984..6f430c90f0 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true) -##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions) +##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions) | Web | UI | Preview | |:-------------:|:-------:|:-------:| diff --git a/gogs.go b/gogs.go index 09274060bb..f62d5884fd 100644 --- a/gogs.go +++ b/gogs.go @@ -17,7 +17,7 @@ import ( "github.com/gogits/gogs/modules/setting" ) -const APP_VER = "0.9.37.0708" +const APP_VER = "0.9.38.0708" func init() { runtime.GOMAXPROCS(runtime.NumCPU()) diff --git a/models/webhook.go b/models/webhook.go index 6d8b8c1682..7a42093b5a 100644 --- a/models/webhook.go +++ b/models/webhook.go @@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error { return err } -// GetWebhookByID returns webhook by given ID. -func GetWebhookByID(id int64) (*Webhook, error) { +// GetWebhookByID returns webhook of repository by given ID. +func GetWebhookByID(repoID, id int64) (*Webhook, error) { w := new(Webhook) - has, err := x.Id(id).Get(w) + has, err := x.Id(id).And("repo_id=?", repoID).Get(w) if err != nil { return nil, err } else if !has { @@ -548,7 +548,7 @@ func (t *HookTask) deliver() { } // Update webhook last delivery status. - w, err := GetWebhookByID(t.HookID) + w, err := GetWebhookByID(t.RepoID, t.HookID) if err != nil { log.Error(5, "GetWebhookByID: %v", err) return diff --git a/routers/api/v1/repo/hook.go b/routers/api/v1/repo/hook.go index 0cbe6762a8..0dac8f7cf1 100644 --- a/routers/api/v1/repo/hook.go +++ b/routers/api/v1/repo/hook.go @@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) { // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook func EditHook(ctx *context.APIContext, form api.EditHookOption) { - w, err := models.GetWebhookByID(ctx.ParamsInt64(":id")) + w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id")) if err != nil { if models.IsErrWebhookNotExist(err) { ctx.Status(404) diff --git a/routers/repo/webhook.go b/routers/repo/webhook.go index 16aa3821a8..460a430aad 100644 --- a/routers/repo/webhook.go +++ b/routers/repo/webhook.go @@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) { } ctx.Data["BaseLink"] = orCtx.Link - w, err := models.GetWebhookByID(ctx.ParamsInt64(":id")) + w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id")) if err != nil { if models.IsErrWebhookNotExist(err) { ctx.Handle(404, "GetWebhookByID", nil) diff --git a/templates/.VERSION b/templates/.VERSION index dd6328aeec..d8f833ffde 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.9.37.0708 \ No newline at end of file +0.9.38.0708 \ No newline at end of file -- cgit v1.2.3