New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: prevent DeleteFilePost doing arbitrary deletion #5635

Merged
merged 1 commit into from Jan 4, 2019

Conversation

5 participants
@zeripath
Copy link
Contributor

zeripath commented Jan 4, 2019

Unfortunately a suitably malformed request to DeleteFilePost will allow arbitrary deletion. Further it was also possible to adjust the .git directories on editFilePost and UploadFilePost.

SECURITY: protect DeleteFilePost et al with cleanUploadFileName (#5631)
This commit wraps more of the TreePaths with cleanUploadFileName

Signed-off-by: Andrew Thornton <art27@cantab.net>

@techknowlogick techknowlogick added this to the 1.7.0 milestone Jan 4, 2019

@bkcsoft bkcsoft added the lgtm/need 1 label Jan 4, 2019

@bkcsoft bkcsoft added lgtm/done and removed lgtm/need 1 labels Jan 4, 2019

@jonasfranz jonasfranz merged commit 3ee3a4b into go-gitea:release/v1.7 Jan 4, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr the build was successful
Details

@zeripath zeripath deleted the zeripath:protect-delete-file-v1.7 branch Jan 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment