Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Instead of using routerCtx just escape the url before routing #18086

Conversation

zeripath
Copy link
Contributor

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing #18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviours too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix #17938
Fix #18060
Replace #18062
Replace #17997

Signed-off-by: Andrew Thornton [email protected]

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing go-gitea#18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviours too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix go-gitea#17938
Fix go-gitea#18060
Replace go-gitea#18062
Replace go-gitea#17997

Signed-off-by: Andrew Thornton <[email protected]>
@codecov-commenter
Copy link

codecov-commenter commented Dec 23, 2021

Codecov Report

Merging #18086 (c8d5f5f) into main (a5df7ba) will increase coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #18086      +/-   ##
==========================================
+ Coverage   44.87%   44.88%   +0.01%     
==========================================
  Files         824      824              
  Lines       91511    91559      +48     
==========================================
+ Hits        41068    41100      +32     
- Misses      43855    43864       +9     
- Partials     6588     6595       +7     
Impacted Files Coverage Δ
modules/context/context.go 64.14% <ø> (-0.19%) ⬇️
routers/web/web.go 90.38% <ø> (-0.04%) ⬇️
routers/common/middleware.go 67.56% <100.00%> (+0.90%) ⬆️
modules/convert/repository.go 90.97% <0.00%> (-5.52%) ⬇️
modules/queue/workerpool.go 48.47% <0.00%> (-3.82%) ⬇️
modules/queue/queue_bytefifo.go 57.48% <0.00%> (-1.80%) ⬇️
modules/queue/queue_disk_channel.go 60.94% <0.00%> (-1.78%) ⬇️
models/repo_list.go 83.19% <0.00%> (-0.82%) ⬇️
services/pull/pull.go 41.70% <0.00%> (ø)
modules/structs/repo.go 76.92% <0.00%> (ø)
... and 9 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a5df7ba...c8d5f5f. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 23, 2021
Signed-off-by: Andrew Thornton <[email protected]>
Copy link
Contributor

@wxiaoguang wxiaoguang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing req.URL.RawPath seems strange, but not bad.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 24, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 24, 2021
@wxiaoguang wxiaoguang merged commit 16adaae into go-gitea:main Dec 24, 2021
@zeripath zeripath deleted the alternate-fix-17938-18060-set-url-is-escapedpath branch December 25, 2021 09:02
@zeripath zeripath added backport/v1.15 type/refactoring Existing code has been cleaned up. There should be no new functionality. labels Dec 25, 2021
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 25, 2021
…ea#18086)

Backport go-gitea#18086

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing go-gitea#18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix go-gitea#17938
Fix go-gitea#18060
Replace go-gitea#18062
Replace go-gitea#17997

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath added type/bug backport/done All backports for this PR have been created labels Dec 25, 2021
zeripath added a commit that referenced this pull request Dec 26, 2021
#18098)

Backport #18086

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing #18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix #17938
Fix #18060
Replace #18062
Replace #17997

Signed-off-by: Andrew Thornton <[email protected]>
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 28, 2021
* BUGFIXES
  * Revert "Fix delete u2f keys bug (go-gitea#18042)" (go-gitea#18107)
  * Migrating wiki don't require token, so we should move it out of the require form (go-gitea#17645) (go-gitea#18104)
  * Prevent NPE if gitea uploader fails to open url (go-gitea#18080) (go-gitea#18101)
  * Reset locale on login (go-gitea#17734) (go-gitea#18100)
  * Correctly handle failed migrations (go-gitea#17575) (go-gitea#18099)
  * Instead of using routerCtx just escape the url before routing (go-gitea#18086) (go-gitea#18098)
  * Quote references to the user table in consistency checks (go-gitea#18072) (go-gitea#18073)
  * Add NotFound handler (go-gitea#18062) (go-gitea#18067)
  * Ensure that git repository is closed before transfer (go-gitea#18049) (go-gitea#18057)
  * Use common sessioner for API and web routes (go-gitea#18114)
* TRANSLATION
  * Fix code search result hint on zh-CN (go-gitea#18053)

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this pull request Dec 28, 2021
lunny added a commit that referenced this pull request Dec 30, 2021
* BUGFIXES
  * Revert "Fix delete u2f keys bug (#18042)" (#18107)
  * Migrating wiki don't require token, so we should move it out of the require form (#17645) (#18104)
  * Prevent NPE if gitea uploader fails to open url (#18080) (#18101)
  * Reset locale on login (#17734) (#18100)
  * Correctly handle failed migrations (#17575) (#18099)
  * Instead of using routerCtx just escape the url before routing (#18086) (#18098)
  * Quote references to the user table in consistency checks (#18072) (#18073)
  * Add NotFound handler (#18062) (#18067)
  * Ensure that git repository is closed before transfer (#18049) (#18057)
  * Use common sessioner for API and web routes (#18114)
* TRANSLATION
  * Fix code search result hint on zh-CN (#18053)

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: Lunny Xiao <[email protected]>
Chianina pushed a commit to Chianina/gitea that referenced this pull request Mar 28, 2022
…ea#18086)

A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing go-gitea#18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix go-gitea#17938
Fix go-gitea#18060
Replace go-gitea#18062
Replace go-gitea#17997

Signed-off-by: Andrew Thornton <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug type/refactoring Existing code has been cleaned up. There should be no new functionality.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Trailing slash leads to 404 (regression?) WebGUI: Escape character in folder or file name prevents access
5 participants