mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-13 14:25:39 +02:00
- **Locale DoS:** the `Locale` middleware passed the raw
`Accept-Language` header to `ParseAcceptLanguage`, whose guard only
counts `-` while the scanner aliases `_` to `-` — a large `_`-separated
header on an unauthenticated request burned CPU. The header is now
length-bounded before parsing.
- **Public-only token scope:** `GET /teams/{id}/repos`,
`.../repos/{org}/{repo}`, `/teams/{id}/activities/feeds`, and
`/users/{username}/orgs/{org}/permissions` still returned private
repo/activity/permission data to a public-only token. They now filter
via `TokenCanAccessRepo` / `ApplyPublicOnly` and reject non-public org
permissions.
- **Push-option visibility:** `repo.private` / `repo.template` push
options were applied to any existing repo, letting an owner/admin
silently flip visibility bypassing audit, webhooks, and notifications.
They are now honored only on push-to-create.
28 lines
935 B
Go
28 lines
935 B
Go
// Copyright 2026 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestParseAcceptLanguage(t *testing.T) {
|
|
// a normal header is parsed and its leading language preserved
|
|
tags := parseAcceptLanguage("de-DE,de;q=0.9,en;q=0.8")
|
|
assert.NotEmpty(t, tags)
|
|
assert.Equal(t, "de-DE", tags[0].String())
|
|
|
|
// an oversized "_"-separated header would drive ParseAcceptLanguage into its
|
|
// quadratic-time path (the built-in guard only counts "-"); the length bound
|
|
// keeps the input passed to the parser small so it cannot be used for a DoS.
|
|
malicious := strings.Repeat("_aaaaaaaaa", 1<<16) // ~640 KiB, zero "-" characters
|
|
assert.Greater(t, len(malicious), maxAcceptLanguageLen)
|
|
tags = parseAcceptLanguage(malicious)
|
|
// no panic / hang, and nothing meaningful is parsed out of the garbage
|
|
assert.Empty(t, tags)
|
|
}
|