From be3f7790d192c9c0971e704e053a54f85efe587e Mon Sep 17 00:00:00 2001
From: TheFox0x7 <thefox0x7@gmail.com>
Date: Sat, 17 Jan 2026 09:29:10 +0100
Subject: [PATCH] lock out info/refs from calling upload-archive

---
 routers/web/githttp.go      | 2 +-
 routers/web/repo/githttp.go | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/routers/web/githttp.go b/routers/web/githttp.go
index 4ba766c2c7..1b6ef455a7 100644
--- a/routers/web/githttp.go
+++ b/routers/web/githttp.go
@@ -13,7 +13,7 @@ func addOwnerRepoGitHTTPRouters(m *web.Router) {
 	m.Group("/{username}/{reponame}", func() {
 		m.Methods("POST,OPTIONS", "/git-upload-pack", repo.ServiceUploadPack)
 		m.Methods("POST,OPTIONS", "/git-receive-pack", repo.ServiceReceivePack)
-		m.Post("/git-upload-archive", repo.ServiceUploadArchive)
+		m.Methods("POST,OPTIONS", "/git-upload-archive", repo.ServiceUploadArchive)
 		m.Methods("GET,OPTIONS", "/info/refs", repo.GetInfoRefs)
 		m.Methods("GET,OPTIONS", "/HEAD", repo.GetTextFile("HEAD"))
 		m.Methods("GET,OPTIONS", "/objects/info/alternates", repo.GetTextFile("objects/info/alternates"))
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 5689e6a1b2..915057e5f1 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -438,7 +438,8 @@ func serviceRPC(ctx *context.Context, h *serviceHandler, service string) {
 	}
 
 	var stderr bytes.Buffer
-	if service != ServiceTypeUploadArchive {
+	// git upload-archive does not have a -- stateless-rpc option
+	if service == ServiceTypeUploadArchive || service == ServiceTypeReceivePack {
 		cmd.AddArguments("--stateless-rpc")
 	}
 	if err := gitrepo.RunCmd(ctx, h.getStorageRepo(), cmd.AddArguments(".").
@@ -510,6 +511,10 @@ func GetInfoRefs(ctx *context.Context) {
 	}
 	setHeaderNoCache(ctx)
 	service := getServiceType(ctx)
+	if !(service == ServiceTypeUploadPack || service == ServiceTypeReceivePack) {
+		ctx.Resp.WriteHeader(http.StatusBadRequest)
+		return
+	}
 	cmd, err := prepareGitCmdWithAllowedService(service)
 	if err == nil {
 		if protocol := ctx.Req.Header.Get("Git-Protocol"); protocol != "" && safeGitProtocolHeader.MatchString(protocol) {