File tree 3 files changed +17
-5
lines changed
3 files changed +17
-5
lines changed Original file line number Diff line number Diff line change @@ -26,6 +26,7 @@ All notable changes to Gogs are documented in this file.
2626- _ Security:_ OS Command Injection in file editor. [ #7000 ] ( https://github.com/gogs/gogs/issues/7000 )
2727- _ Security:_ Sanitize ` DisplayName ` in repository issue list. [ #7009 ] ( https://github.com/gogs/gogs/pull/7009 )
2828- _ Security:_ Path Traversal in file editor on Windows. [ #7001 ] ( https://github.com/gogs/gogs/issues/7001 )
29+ - _ Security:_ Path Traversal in Git HTTP endpoints. [ #7002 ] ( https://github.com/gogs/gogs/issues/7002 )
2930- Unable to use LDAP authentication on ARM machines. [ #6761 ] ( https://github.com/gogs/gogs/issues/6761 )
3031- Unable to init repository during creation on Windows. [ #6967 ] ( https://github.com/gogs/gogs/issues/6967 )
3132- Mysterious panic on ` Value not found for type *repo.HTTPContext ` . [ #6963 ] ( https://github.com/gogs/gogs/issues/6963 )
Original file line number Diff line number Diff line change @@ -27,6 +27,10 @@ func TestClean(t *testing.T) {
2727 path : "/../a/b/../c/../readme.txt" ,
2828 wantVal : "a/readme.txt" ,
2929 },
30+ {
31+ path : "../../objects/info/.." ,
32+ wantVal : "objects" ,
33+ },
3034 {
3135 path : "/a/readme.txt" ,
3236 wantVal : "a/readme.txt" ,
Original file line number Diff line number Diff line change @@ -24,6 +24,7 @@ import (
2424 "gogs.io/gogs/internal/conf"
2525 "gogs.io/gogs/internal/db"
2626 "gogs.io/gogs/internal/lazyregexp"
27+ "gogs.io/gogs/internal/pathutil"
2728 "gogs.io/gogs/internal/tool"
2829)
2930
@@ -408,15 +409,21 @@ func HTTP(c *HTTPContext) {
408409 }
409410
410411 if route .method != c .Req .Method {
411- c .NotFound ( )
412+ c .Error ( http . StatusNotFound )
412413 return
413414 }
414415
415- file := strings .TrimPrefix (reqPath , m [1 ]+ "/" )
416- dir , err := getGitRepoPath (m [1 ])
416+ cleaned := pathutil .Clean (m [1 ])
417+ if m [1 ] != "/" + cleaned {
418+ c .Error (http .StatusBadRequest , "Request path contains suspicious characters" )
419+ return
420+ }
421+
422+ file := strings .TrimPrefix (reqPath , cleaned )
423+ dir , err := getGitRepoPath (cleaned )
417424 if err != nil {
418425 log .Warn ("HTTP.getGitRepoPath: %v" , err )
419- c .NotFound ( )
426+ c .Error ( http . StatusNotFound )
420427 return
421428 }
422429
@@ -435,5 +442,5 @@ func HTTP(c *HTTPContext) {
435442 return
436443 }
437444
438- c .NotFound ( )
445+ c .Error ( http . StatusNotFound )
439446}
You can’t perform that action at this time.
0 commit comments