-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clean paths when looking in Storage #19124
Conversation
Ensure paths are clean for minio aswell as local storage. Use url.Path not RequestURI/EscapedPath in storageHandler. Signed-off-by: Andrew Thornton <[email protected]>
Why not refuse the unexpected path? |
Well it seems equivalent to just clean the path - as to refuse the uncleaned path requires cleaning the path in the first place. It just seems easier to just return the cleaned and ignore the attempt to be evil in the first place. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM.
We do not need to refuse anything, just clean the path and pass it to the storage, that's already secure and enough. Non-existing file (by malicious request) will be responded as 404 because the path has been cleaned.
Backport go-gitea#19124 * Clean paths when looking in Storage Ensure paths are clean for minio aswell as local storage. Use url.Path not RequestURI/EscapedPath in storageHandler. Signed-off-by: Andrew Thornton <[email protected]> * Apply suggestions from code review Co-authored-by: Lauris BH <[email protected]>
* giteaofficial/main: Remove the Go version in UI, add a link on Gitea Version to show config details (Go/Git version) (go-gitea#19173) [skip ci] Updated translations via Crowdin Clean paths when looking in Storage (go-gitea#19124) Use the new/choose link for New Issue on project page (go-gitea#19172) Ensure that setting.LocalURL always has a trailing slash (go-gitea#19171) Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (go-gitea#19163)
Backport #19124 * Clean paths when looking in Storage Ensure paths are clean for minio aswell as local storage. Use url.Path not RequestURI/EscapedPath in storageHandler. Signed-off-by: Andrew Thornton <[email protected]> * Apply suggestions from code review Co-authored-by: Lauris BH <[email protected]>
## [1.16.5](https://github.com/go-gitea/gitea/releases/tag/1.16.5) - 2022-03-23 * BREAKING * Bump to build with go1.18 (go-gitea#19120 et al) (go-gitea#19127) * SECURITY * Prevent redirect to Host (2) (go-gitea#19175) (go-gitea#19186) * Try to prevent autolinking of displaynames by email readers (go-gitea#19169) (go-gitea#19183) * Clean paths when looking in Storage (go-gitea#19124) (go-gitea#19179) * Do not send notification emails to inactive users (go-gitea#19131) (go-gitea#19139) * Do not send activation email if manual confirm is set (go-gitea#19119) (go-gitea#19122) * ENHANCEMENTS * Use the new/choose link for New Issue on project page (go-gitea#19172) (go-gitea#19176) * BUGFIXES * Fix compare link in active feeds for new branch (go-gitea#19149) (go-gitea#19185) * Redirect .wiki/* ui link to /wiki (go-gitea#18831) (go-gitea#19184) * Ensure deploy keys with write access can push (go-gitea#19010) (go-gitea#19182) * Ensure that setting.LocalURL always has a trailing slash (go-gitea#19171) (go-gitea#19177) * Cleanup protected branches when deleting users & teams (go-gitea#19158) (go-gitea#19174) * Use IterateBufferSize whilst querying repositories during adoption check (go-gitea#19140) (go-gitea#19160) * Fix NPE /repos/issues/search when not signed in (go-gitea#19154) (go-gitea#19155) * Use custom favicon when viewing static files if it exists (go-gitea#19130) (go-gitea#19152) * Fix the editor height in review box (go-gitea#19003) (go-gitea#19147) * Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (go-gitea#19028) (go-gitea#19146) * Fix wrong scopes caused by empty scope input (go-gitea#19029) (go-gitea#19145) * Make migrations SKIP_TLS_VERIFY apply to git too (go-gitea#19132) (go-gitea#19141) * Handle email address not exist (go-gitea#19089) (go-gitea#19121) * MISC * Update json-iterator to allow compilation with go1.18 (go-gitea#18644) (go-gitea#19100) * Update golang.org/x/crypto (go-gitea#19097) (go-gitea#19098) Signed-off-by: Andrew Thornton <[email protected]>
* Clean paths when looking in Storage Ensure paths are clean for minio aswell as local storage. Use url.Path not RequestURI/EscapedPath in storageHandler. Signed-off-by: Andrew Thornton <[email protected]> * Apply suggestions from code review Co-authored-by: Lauris BH <[email protected]>
Ensure paths are clean for minio aswell as local storage.
Use url.Path not RequestURI/EscapedPath in storageHandler.
Signed-off-by: Andrew Thornton [email protected]