Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape the commit message on issues update and title in telegram hook #6901

Merged
merged 2 commits into from
May 10, 2019

Conversation

zeripath
Copy link
Contributor

The commit message was not properly being escaped when being referenced in an issue, neither was the issue title escaped in the telegram webhook.

Fortunately the commit message was passed through a sanitiser but it is still possible to corrupt the page structure.

@techknowlogick techknowlogick added this to the 1.9.0 milestone May 10, 2019
@techknowlogick techknowlogick added backport/v1.8 type/refactoring Existing code has been cleaned up. There should be no new functionality. labels May 10, 2019
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label May 10, 2019
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 10, 2019
@codecov-io
Copy link

Codecov Report

Merging #6901 into master will increase coverage by <.01%.
The diff coverage is 50%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #6901      +/-   ##
==========================================
+ Coverage   41.41%   41.42%   +<.01%     
==========================================
  Files         432      432              
  Lines       59541    59541              
==========================================
+ Hits        24658    24663       +5     
+ Misses      31644    31638       -6     
- Partials     3239     3240       +1
Impacted Files Coverage Δ
models/webhook_telegram.go 0% <0%> (ø) ⬆️
models/action.go 58.77% <100%> (ø) ⬆️
modules/log/router.go 90% <0%> (-2.5%) ⬇️
routers/repo/view.go 43.03% <0%> (+1.01%) ⬆️
models/unit.go 67.56% <0%> (+5.4%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 10ff527...bf022d0. Read the comment docs.

@techknowlogick techknowlogick merged commit d64a646 into go-gitea:master May 10, 2019
@lafriks
Copy link
Member

lafriks commented May 10, 2019

Please send backport

@zeripath zeripath deleted the fix-update-issues-commit branch May 10, 2019 19:20
zeripath added a commit to zeripath/gitea that referenced this pull request May 10, 2019
@lafriks lafriks added the backport/done All backports for this PR have been created label May 11, 2019
techknowlogick pushed a commit that referenced this pull request May 11, 2019
* Add options to git.Clone to make it more capable

* Begin the process of removing the local copy and tidy up

* Remove Wiki LocalCopy Checkouts

* Remove the last LocalRepo helpers

* Remove WithTemporaryFile

* Enable push-hooks for these routes

* Ensure tests cope with hooks

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove Repository.LocalCopyPath()

* Move temporary repo to use the standard temporary path

* Fix the tests

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove LocalWikiPath

* Fix missing remove

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Use AppURL for Oauth user link (#6894)

* Use AppURL for Oauth user link

Fix #6843

* Update oauth.go

* Update oauth.go

* internal/ssh: ignore env command totally (#6825)

* ssh: ignore env command totally

* Remove commented code 

Needed fix described in issue #6889

* Escape the commit message on issues update and title in telegram hook (#6901)

* update sdk to latest (#6903)

* improve description of branch protection (fix #6886) (#6906)

The branch protection description text were not quite accurate.

* Fix logging documentation (#6904)

* ENABLE_MACARON_REDIRECT should be REDIRECT_MACARON_LOG

* Allow DISABLE_ROUTER_LOG to be set in the [log] section

* [skip ci] Updated translations via Crowdin

* Move sdk structs to modules/structs (#6905)

* move sdk structs to moduels/structs

* fix tests

* fix fmt

* fix swagger

* fix vendor
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/refactoring Existing code has been cleaned up. There should be no new functionality.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants