Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mixed-content issues #916

Closed
2 of 6 tasks
minecrafter opened this issue Feb 12, 2017 · 13 comments · Fixed by #12802
Closed
2 of 6 tasks

Mixed-content issues #916

minecrafter opened this issue Feb 12, 2017 · 13 comments · Fixed by #12802
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality
Milestone

Comments

@minecrafter
Copy link
Contributor

minecrafter commented Feb 12, 2017

  • Gitea version (or commit ref): 1.0.1
  • Git version: 2.7.4
  • Operating system: Ubuntu 16.04 LTS
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
  • Log gist:

Description

Gitea can still serve mixed-content pages, even with SSL. This is most pronounced with images being loaded over an insecure connection.

This can be solved by integrating a solution similar to camo (GitHub uses this) into Gitea.

In addition to security, it also provides a privacy benefit for users if the install is public.


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@lunny lunny added this to the 1.1.0 milestone Feb 13, 2017
@lunny lunny added type/enhancement An improvement of existing functionality topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Feb 13, 2017
@thehowl
Copy link
Contributor

thehowl commented Feb 13, 2017

If we're embedding a camo server into gitea, I'd like to say go-camo is a thing and we could get most stuff from that: https://github.com/cactus/go-camo

@tboerger
Copy link
Member

go-camo makes sense, we don't want to reinvent the wheel

@lunny
Copy link
Member

lunny commented Feb 21, 2017

Anyone would like to send a PR to fix this?

@lunny lunny modified the milestones: 1.2.0, 1.1.0 Feb 22, 2017
@lunny
Copy link
Member

lunny commented Feb 22, 2017

Move this to v1.2 since no PR to send.

@lunny lunny modified the milestones: 1.x.x, 1.2.0 Apr 20, 2017
@6543
Copy link
Member

6543 commented Jul 27, 2019

is there any progress?

@lunny
Copy link
Member

lunny commented Jul 27, 2019

Nobody are working on this.

@6543
Copy link
Member

6543 commented Jul 27, 2019

@lunny
can we do this onto 1.10.0?
i think it only afects the markdown parts of gitea?
which files are these so i'll have a look at it

and mean lable kind/securety also privacy ?
because i think this is also a privacy concerne ...

@6543
Copy link
Member

6543 commented Jul 27, 2019

to discust:

should we replace the src url of img nodes after blackfriday process the markdown

or

replace ![*]($url) with ![*]($camourl/$url) ?

@6543
Copy link
Member

6543 commented Jul 27, 2019

we ned in each case two config values

  • CAMO_URL
  • CAMO_KEY

for example:
nginx reverse proxy gitea.com/camo -> http://127.0.0.1:3456

camo itself:
./go-camo -k 123secret --listen=127.0.0.1:3456 --stats --metrics &

@tboerger
Copy link
Member

I think the goal had been to embed it instead of relying on another service

@6543
Copy link
Member

6543 commented Jul 28, 2019

We can use the routines of go-camo it shouldnt be that hard

I already play with the url encode function provided by this project but sinse i just starded with go i have no idear how to integrate the main camo prosess into gitea jet

@6543
Copy link
Member

6543 commented Jul 28, 2019

I think the goal had been to embed it instead of relying on another service

and then #916 (comment) still remains

@lhinderberger
Copy link

There has been a parallel discussion on this issue at Codeberg.org: https://codeberg.org/Codeberg/Community/issues/196

zeripath added a commit to zeripath/gitea that referenced this issue Sep 10, 2020
Fix go-gitea#916

Signed-off-by: Andrew Thornton <art27@cantab.net>
6543 added a commit that referenced this issue Mar 29, 2022
* Provide configuration to allow camo-media proxying

Fix #916

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Codeberg-org pushed a commit to Codeberg-org/gitea that referenced this issue Mar 29, 2022
* Provide configuration to allow camo-media proxying

Fix go-gitea#916

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@lunny lunny removed this from the 1.x.x milestone Mar 30, 2022
@lunny lunny added this to the 1.17.0 milestone Mar 30, 2022
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants