Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow urlencoded new lines in git protocol paths if there is a port (#13521) #13525

Merged
merged 1 commit into from
Nov 11, 2020
Merged

Disallow urlencoded new lines in git protocol paths if there is a port (#13521) #13525

merged 1 commit into from
Nov 11, 2020

Conversation

6543
Copy link
Member

@6543 6543 commented Nov 11, 2020

Backport #13521

@6543 6543 added this to the 1.12.6 milestone Nov 11, 2020
@6543 6543 added the type/bug label Nov 11, 2020
@6543 6543 mentioned this pull request Nov 11, 2020
Merged
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Nov 11, 2020
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 11, 2020
@lafriks lafriks merged commit 480efbd into go-gitea:release/v1.12 Nov 11, 2020
@lafriks lafriks deleted the Backport2_13521 branch November 11, 2020 21:48
@lafriks lafriks added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug and removed type/bug labels Nov 11, 2020
@stypr
Copy link

stypr commented Nov 13, 2020

LGTM

@abergmann
Copy link

CVE-2020-28991 was assigned to this issue.

@stypr
Copy link

stypr commented Nov 25, 2020
edited
Loading

CVE-2020-28991 was assigned to this issue.

The impact is that this vulnerability can cause partial SSRF.
For some reason the impact was snipped off from the vulnerability summary by the CNA.

I'm keeping it an additional reference in here as an original reporter.

(This comment may change in the future)

@stypr stypr mentioned this pull request Nov 27, 2020
Merged
@go-gitea go-gitea locked and limited conversation to collaborators Dec 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@zeripath zeripath zeripath approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.12.6
Development

Successfully merging this pull request may close these issues.
7 participants
@6543 @stypr @abergmann @silverwind @zeripath @lafriks @GiteaBot