Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-02-16 10:05:22 +01:00
Code Issues Activity

lock out info/refs from calling upload-archive

Browse Source
This commit is contained in:
TheFox0x7 2026-01-17 09:29:10 +01:00
parent e4a3f34e8e
commit be3f7790d1
No known key found for this signature in database
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
routers/web/githttp.go
View File

@ -13,7 +13,7 @@ func addOwnerRepoGitHTTPRouters(m *web.Router) {
m.Group("/{username}/{reponame}", func() {
m.Methods("POST,OPTIONS", "/git-upload-pack", repo.ServiceUploadPack)
m.Methods("POST,OPTIONS", "/git-receive-pack", repo.ServiceReceivePack)
m.Post("/git-upload-archive", repo.ServiceUploadArchive)
m.Methods("POST,OPTIONS", "/git-upload-archive", repo.ServiceUploadArchive)
m.Methods("GET,OPTIONS", "/info/refs", repo.GetInfoRefs)
m.Methods("GET,OPTIONS", "/HEAD", repo.GetTextFile("HEAD"))
m.Methods("GET,OPTIONS", "/objects/info/alternates", repo.GetTextFile("objects/info/alternates"))

7
routers/web/repo/githttp.go
View File

@ -438,7 +438,8 @@ func serviceRPC(ctx *context.Context, h *serviceHandler, service string) {
}
var stderr bytes.Buffer
if service != ServiceTypeUploadArchive {
// git upload-archive does not have a -- stateless-rpc option
if service == ServiceTypeUploadArchive || service == ServiceTypeReceivePack {
cmd.AddArguments("--stateless-rpc")
}
if err := gitrepo.RunCmd(ctx, h.getStorageRepo(), cmd.AddArguments(".").
@ -510,6 +511,10 @@ func GetInfoRefs(ctx *context.Context) {
}
setHeaderNoCache(ctx)
service := getServiceType(ctx)
if !(service == ServiceTypeUploadPack || service == ServiceTypeReceivePack) {
ctx.Resp.WriteHeader(http.StatusBadRequest)
return
}
cmd, err := prepareGitCmdWithAllowedService(service)
if err == nil {
if protocol := ctx.Req.Header.Get("Git-Protocol"); protocol != "" && safeGitProtocolHeader.MatchString(protocol) {