From ef339713c25253980f98d4c28b3fe5326538664b Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Wed, 13 Nov 2024 10:26:37 +0800 Subject: Refactor internal routers (partial backport, auth token const time comparing) (#32473) (#32479) Partially backport #32473. LFS related changes are not in 1.22, so skip them. 1. Ignore non-existing repos during migrations 2. Improve ReadBatchLine's comment 3. Use `X-Gitea-Internal-Auth` header for internal API calls and make the comparing constant time (it wasn't a serous problem because in a real world it's nearly impossible to timing-attack the token, but indeed security related and good to fix and backport) 4. Fix route mock nil check --- modules/git/batch_reader.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'modules/git') diff --git a/modules/git/batch_reader.go b/modules/git/batch_reader.go index 3b1a466b2e..7dfda72155 100644 --- a/modules/git/batch_reader.go +++ b/modules/git/batch_reader.go @@ -146,9 +146,8 @@ func catFileBatch(ctx context.Context, repoPath string) (WriteCloserError, *bufi } // ReadBatchLine reads the header line from cat-file --batch -// We expect: -// SP SP LF -// sha is a hex encoded here +// We expect: SP SP LF +// then leaving the rest of the stream " LF" to be read func ReadBatchLine(rd *bufio.Reader) (sha []byte, typ string, size int64, err error) { typ, err = rd.ReadString('\n') if err != nil { -- cgit v1.2.3