Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Show full name if DEFAULT_SHOW_FULL_NAME setting enabled #6710
@@ Coverage Diff @@ ## master #6710 +/- ## ========================================= Coverage ? 41.32% ========================================= Files ? 432 Lines ? 59552 Branches ? 0 ========================================= Hits ? 24611 Misses ? 31703 Partials ? 3238
This is replacing something relatively limited like usernames -- which can only be letters, numbers, _, and . -- with user controlled input that currently has no real limitations other than length.
Unfortunately, I don't think Gitea can safely handle this type of change as-is without some more in depth testing. I checked out this PR and was able to find a security issue within a few minutes:
Create an issue with a user.
Change the users full name to
Then visit http://example.com/user/repo/issues
It will execute the code above. This is true for any of the
At minimum there should need to be some type of sanitizing of the full name and double checking of every location that would use it to make sure it isn't easy to break out of the expected HTML as seen above.