Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow urlencoded new lines in git protocol paths if there is a port #13521

Merged
merged 1 commit into from
Nov 11, 2020

Conversation

zeripath
Copy link
Contributor

Signed-off-by: Andrew Thornton art27@cantab.net

Signed-off-by: Andrew Thornton <art27@cantab.net>
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Nov 11, 2020
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 11, 2020
@zeripath zeripath merged commit 5d932b3 into go-gitea:master Nov 11, 2020
@zeripath zeripath deleted the no-ports-for-git-protocol branch November 11, 2020 20:34
6543 pushed a commit to 6543-forks/gitea that referenced this pull request Nov 11, 2020
6543 pushed a commit to 6543-forks/gitea that referenced this pull request Nov 11, 2020
@6543 6543 added the backport/done All backports for this PR have been created label Nov 11, 2020
lafriks pushed a commit that referenced this pull request Nov 11, 2020
#13521) (#13524)

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: zeripath <art27@cantab.net>
lafriks pushed a commit that referenced this pull request Nov 11, 2020
#13521) (#13525)

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: zeripath <art27@cantab.net>
@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Nov 11, 2020
uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Nov 22, 2020
    SECURITY
        Prevent git operations for inactive users (#13527) (#13537)
        Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13525)
    BUGFIXES
        API should only return Json (#13511) (#13564)
        Fix before and since query arguments at API (#13559) (#13560)
        Prevent panic on git blame by limiting lines to 4096 bytes at most (#13470) (#13492)
        Fix link detection in repository description with tailing ‘_’ (#13407) (#13408)
        Remove obsolete change of email on profile page (#13341) (#13348)
        Fix permission check on get Reactions API endpoints (#13344) (#13346)
        Add migrated pulls to pull request task queue (#13331) (#13335)
        API deny wrong pull creation options (#13308) (#13327)
        Fix initial commit page & binary munching problem (#13249) (#13259)
        Fix diff parsing (#13157) (#13136) (#13139)
        Return error 404 not 500 from API if team does not exist (#13118) (#13119)
        Prohibit automatic downgrades (#13108) (#13111)
        Fix GitLab Migration Option AuthToken (#13101)
        GitLab Label Color Normalizer (#12793) (#13100)
        Log the underlying panic in runMigrateTask (#13096) (#13098)
        Fix attachments list in edit comment (#13036) (#13097)
        Fix deadlock when deleting team user (#13093)
        Fix error create comment on outdated file (#13041) (#13042)
        Fix repository create/delete event webhooks (#13008) (#13027)
        Fix internal server error on README in submodule (#13006) (#13016)

PR:		251296
Submitted by:	maintainer
MFH:		2020Q4
Security:	go-gitea/gitea#13527
		go-gitea/gitea#13521


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@556058 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Nov 22, 2020
Approved by:	portmgr (with hat)

www/gitea: Update to 1.12.5

Changes: https://github.com/go-gitea/gitea/releases/tag/v1.12.5

PR:		250372
Approved by:	maintainer

www/gitea: Update to 1.12.6

    SECURITY
        Prevent git operations for inactive users (#13527) (#13537)
        Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13525)
    BUGFIXES
        API should only return Json (#13511) (#13564)
        Fix before and since query arguments at API (#13559) (#13560)
        Prevent panic on git blame by limiting lines to 4096 bytes at most (#13470) (#13492)
        Fix link detection in repository description with tailing ‘_’ (#13407) (#13408)
        Remove obsolete change of email on profile page (#13341) (#13348)
        Fix permission check on get Reactions API endpoints (#13344) (#13346)
        Add migrated pulls to pull request task queue (#13331) (#13335)
        API deny wrong pull creation options (#13308) (#13327)
        Fix initial commit page & binary munching problem (#13249) (#13259)
        Fix diff parsing (#13157) (#13136) (#13139)
        Return error 404 not 500 from API if team does not exist (#13118) (#13119)
        Prohibit automatic downgrades (#13108) (#13111)
        Fix GitLab Migration Option AuthToken (#13101)
        GitLab Label Color Normalizer (#12793) (#13100)
        Log the underlying panic in runMigrateTask (#13096) (#13098)
        Fix attachments list in edit comment (#13036) (#13097)
        Fix deadlock when deleting team user (#13093)
        Fix error create comment on outdated file (#13041) (#13042)
        Fix repository create/delete event webhooks (#13008) (#13027)
        Fix internal server error on README in submodule (#13006) (#13016)

PR:		251296
Submitted by:	maintainer
Security:	go-gitea/gitea#13527
		go-gitea/gitea#13521
uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Nov 22, 2020
    SECURITY
        Prevent git operations for inactive users (#13527) (#13537)
        Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13525)
    BUGFIXES
        API should only return Json (#13511) (#13564)
        Fix before and since query arguments at API (#13559) (#13560)
        Prevent panic on git blame by limiting lines to 4096 bytes at most (#13470) (#13492)
        Fix link detection in repository description with tailing ‘_’ (#13407) (#13408)
        Remove obsolete change of email on profile page (#13341) (#13348)
        Fix permission check on get Reactions API endpoints (#13344) (#13346)
        Add migrated pulls to pull request task queue (#13331) (#13335)
        API deny wrong pull creation options (#13308) (#13327)
        Fix initial commit page & binary munching problem (#13249) (#13259)
        Fix diff parsing (#13157) (#13136) (#13139)
        Return error 404 not 500 from API if team does not exist (#13118) (#13119)
        Prohibit automatic downgrades (#13108) (#13111)
        Fix GitLab Migration Option AuthToken (#13101)
        GitLab Label Color Normalizer (#12793) (#13100)
        Log the underlying panic in runMigrateTask (#13096) (#13098)
        Fix attachments list in edit comment (#13036) (#13097)
        Fix deadlock when deleting team user (#13093)
        Fix error create comment on outdated file (#13041) (#13042)
        Fix repository create/delete event webhooks (#13008) (#13027)
        Fix internal server error on README in submodule (#13006) (#13016)

PR:		251296
Submitted by:	maintainer
MFH:		2020Q4
Security:	go-gitea/gitea#13527
		go-gitea/gitea#13521
Jehops pushed a commit to Jehops/freebsd-ports-legacy that referenced this pull request Nov 22, 2020
    SECURITY
        Prevent git operations for inactive users (#13527) (#13537)
        Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13525)
    BUGFIXES
        API should only return Json (#13511) (#13564)
        Fix before and since query arguments at API (#13559) (#13560)
        Prevent panic on git blame by limiting lines to 4096 bytes at most (#13470) (#13492)
        Fix link detection in repository description with tailing ‘_’ (#13407) (#13408)
        Remove obsolete change of email on profile page (#13341) (#13348)
        Fix permission check on get Reactions API endpoints (#13344) (#13346)
        Add migrated pulls to pull request task queue (#13331) (#13335)
        API deny wrong pull creation options (#13308) (#13327)
        Fix initial commit page & binary munching problem (#13249) (#13259)
        Fix diff parsing (#13157) (#13136) (#13139)
        Return error 404 not 500 from API if team does not exist (#13118) (#13119)
        Prohibit automatic downgrades (#13108) (#13111)
        Fix GitLab Migration Option AuthToken (#13101)
        GitLab Label Color Normalizer (#12793) (#13100)
        Log the underlying panic in runMigrateTask (#13096) (#13098)
        Fix attachments list in edit comment (#13036) (#13097)
        Fix deadlock when deleting team user (#13093)
        Fix error create comment on outdated file (#13041) (#13042)
        Fix repository create/delete event webhooks (#13008) (#13027)
        Fix internal server error on README in submodule (#13006) (#13016)

PR:		251296
Submitted by:	maintainer
MFH:		2020Q4
Security:	go-gitea/gitea#13527
		go-gitea/gitea#13521


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@556058 35697150-7ecd-e111-bb59-0022644237b5
@go-gitea go-gitea locked and limited conversation to collaborators Dec 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants