Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Instead of using routerCtx just escape the url before routing #18086

Merged
merged 4 commits into from
Dec 24, 2021
Merged

Instead of using routerCtx just escape the url before routing #18086

merged 4 commits into from
Dec 24, 2021

Conversation

zeripath
Copy link
Contributor

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing #18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviours too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix #17938
Fix #18060
Replace #18062
Replace #17997

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Instead of using routerCtx just escape the url before routing
6537838 
A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing go-gitea#18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviours too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix go-gitea#17938
Fix go-gitea#18060
Replace go-gitea#18062
Replace go-gitea#17997

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Reminder unnecessary test
6909a0f
@codecov-commenter
Copy link

codecov-commenter commented Dec 23, 2021
edited
Loading

Codecov Report

Merging #18086 (c8d5f5f) into main (a5df7ba) will increase coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #18086      +/-   ##
==========================================
+ Coverage   44.87%   44.88%   +0.01%     
==========================================
  Files         824      824              
  Lines       91511    91559      +48     
==========================================
+ Hits        41068    41100      +32     
- Misses      43855    43864       +9     
- Partials     6588     6595       +7
Impacted Files Coverage Δ
modules/context/context.go 64.14% <ø> (-0.19%) ⬇️
routers/web/web.go 90.38% <ø> (-0.04%) ⬇️
routers/common/middleware.go 67.56% <100.00%> (+0.90%) ⬆️
modules/convert/repository.go 90.97% <0.00%> (-5.52%) ⬇️
modules/queue/workerpool.go 48.47% <0.00%> (-3.82%) ⬇️
modules/queue/queue_bytefifo.go 57.48% <0.00%> (-1.80%) ⬇️
modules/queue/queue_disk_channel.go 60.94% <0.00%> (-1.78%) ⬇️
models/repo_list.go 83.19% <0.00%> (-0.82%) ⬇️
services/pull/pull.go 41.70% <0.00%> (ø)
modules/structs/repo.go 76.92% <0.00%> (ø)
... and 9 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a5df7ba...c8d5f5f. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 23, 2021
@zeripath
add testcase
c8d5f5f 
Signed-off-by: Andrew Thornton <art27@cantab.net>
wxiaoguang
wxiaoguang approved these changes Dec 24, 2021
View reviewed changes
Copy link
Contributor

@wxiaoguang wxiaoguang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing req.URL.RawPath seems strange, but not bad.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 24, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 24, 2021
@wxiaoguang wxiaoguang merged commit 16adaae into go-gitea:main Dec 24, 2021
@zeripath zeripath deleted the alternate-fix-17938-18060-set-url-is-escapedpath branch December 25, 2021 09:02
@zeripath zeripath added backport/v1.15 type/refactoring Existing code has been cleaned up. There should be no new functionality. labels Dec 25, 2021
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 25, 2021
@zeripath
Instead of using routerCtx just escape the url before routing (go-git…
fb00cd6 
…ea#18086)

Backport go-gitea#18086

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing go-gitea#18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix go-gitea#17938
Fix go-gitea#18060
Replace go-gitea#18062
Replace go-gitea#17997

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Dec 25, 2021
Merged
@zeripath zeripath added type/bug backport/done All backports for this PR have been created labels Dec 25, 2021
zeripath added a commit that referenced this pull request Dec 26, 2021
@zeripath
Instead of using routerCtx just escape the url before routing (#18086) (
71e1ebf 
#18098)

Backport #18086

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing #18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix #17938
Fix #18060
Replace #18062
Replace #17997

Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 28, 2021
@zeripath
Changelog v1.15.9
6da724b 
* BUGFIXES
  * Revert "Fix delete u2f keys bug (go-gitea#18042)" (go-gitea#18107)
  * Migrating wiki don't require token, so we should move it out of the require form (go-gitea#17645) (go-gitea#18104)
  * Prevent NPE if gitea uploader fails to open url (go-gitea#18080) (go-gitea#18101)
  * Reset locale on login (go-gitea#17734) (go-gitea#18100)
  * Correctly handle failed migrations (go-gitea#17575) (go-gitea#18099)
  * Instead of using routerCtx just escape the url before routing (go-gitea#18086) (go-gitea#18098)
  * Quote references to the user table in consistency checks (go-gitea#18072) (go-gitea#18073)
  * Add NotFound handler (go-gitea#18062) (go-gitea#18067)
  * Ensure that git repository is closed before transfer (go-gitea#18049) (go-gitea#18057)
  * Use common sessioner for API and web routes (go-gitea#18114)
* TRANSLATION
  * Fix code search result hint on zh-CN (go-gitea#18053)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Dec 28, 2021
Merged
lunny added a commit that referenced this pull request Dec 30, 2021
@zeripath @lunny
Changelog v1.15.9 (#18115)
3db98be 
* BUGFIXES
  * Revert "Fix delete u2f keys bug (#18042)" (#18107)
  * Migrating wiki don't require token, so we should move it out of the require form (#17645) (#18104)
  * Prevent NPE if gitea uploader fails to open url (#18080) (#18101)
  * Reset locale on login (#17734) (#18100)
  * Correctly handle failed migrations (#17575) (#18099)
  * Instead of using routerCtx just escape the url before routing (#18086) (#18098)
  * Quote references to the user table in consistency checks (#18072) (#18073)
  * Add NotFound handler (#18062) (#18067)
  * Ensure that git repository is closed before transfer (#18049) (#18057)
  * Use common sessioner for API and web routes (#18114)
* TRANSLATION
  * Fix code search result hint on zh-CN (#18053)

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Chianina pushed a commit to Chianina/gitea that referenced this pull request Mar 28, 2022
@zeripath
Instead of using routerCtx just escape the url before routing (go-git…
2987176 
…ea#18086)

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing go-gitea#18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix go-gitea#17938
Fix go-gitea#18060
Replace go-gitea#18062
Replace go-gitea#17997

Signed-off-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug type/refactoring Existing code has been cleaned up. There should be no new functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trailing slash leads to 404 (regression?) WebGUI: Escape character in folder or file name prevents access
5 participants
@zeripath @codecov-commenter @lunny @wxiaoguang @GiteaBot