Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape the commit message on issues update and title in telegram hook #6901

Merged
merged 2 commits into from May 10, 2019

Conversation

5 participants
@zeripath
Copy link
Contributor

commented May 10, 2019

The commit message was not properly being escaped when being referenced in an issue, neither was the issue title escaped in the telegram webhook.

Fortunately the commit message was passed through a sanitiser but it is still possible to corrupt the page structure.

zeripath added some commits May 10, 2019

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels May 10, 2019

@codecov-io

This comment has been minimized.

Copy link

commented May 10, 2019

Codecov Report

Merging #6901 into master will increase coverage by <.01%.
The diff coverage is 50%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #6901      +/-   ##
==========================================
+ Coverage   41.41%   41.42%   +<.01%     
==========================================
  Files         432      432              
  Lines       59541    59541              
==========================================
+ Hits        24658    24663       +5     
+ Misses      31644    31638       -6     
- Partials     3239     3240       +1
Impacted Files Coverage Δ
models/webhook_telegram.go 0% <0%> (ø) ⬆️
models/action.go 58.77% <100%> (ø) ⬆️
modules/log/router.go 90% <0%> (-2.5%) ⬇️
routers/repo/view.go 43.03% <0%> (+1.01%) ⬆️
models/unit.go 67.56% <0%> (+5.4%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 10ff527...bf022d0. Read the comment docs.

@techknowlogick techknowlogick merged commit d64a646 into go-gitea:master May 10, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr Build is passing
Details
@lafriks

This comment has been minimized.

Copy link
Member

commented May 10, 2019

Please send backport

@zeripath zeripath deleted the zeripath:fix-update-issues-commit branch May 10, 2019

zeripath added a commit to zeripath/gitea that referenced this pull request May 10, 2019

zeripath added a commit that referenced this pull request May 10, 2019

zeripath added a commit to zeripath/gitea that referenced this pull request May 11, 2019

techknowlogick added a commit that referenced this pull request May 11, 2019

Remove local clones & make hooks run on merge/edit/upload (#6672)
* Add options to git.Clone to make it more capable

* Begin the process of removing the local copy and tidy up

* Remove Wiki LocalCopy Checkouts

* Remove the last LocalRepo helpers

* Remove WithTemporaryFile

* Enable push-hooks for these routes

* Ensure tests cope with hooks

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove Repository.LocalCopyPath()

* Move temporary repo to use the standard temporary path

* Fix the tests

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove LocalWikiPath

* Fix missing remove

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Use AppURL for Oauth user link (#6894)

* Use AppURL for Oauth user link

Fix #6843

* Update oauth.go

* Update oauth.go

* internal/ssh: ignore env command totally (#6825)

* ssh: ignore env command totally

* Remove commented code 

Needed fix described in issue #6889

* Escape the commit message on issues update and title in telegram hook (#6901)

* update sdk to latest (#6903)

* improve description of branch protection (fix #6886) (#6906)

The branch protection description text were not quite accurate.

* Fix logging documentation (#6904)

* ENABLE_MACARON_REDIRECT should be REDIRECT_MACARON_LOG

* Allow DISABLE_ROUTER_LOG to be set in the [log] section

* [skip ci] Updated translations via Crowdin

* Move sdk structs to modules/structs (#6905)

* move sdk structs to moduels/structs

* fix tests

* fix fmt

* fix swagger

* fix vendor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.