Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure correct SSH permissions check for private and restricted users (#17370) #17373

Merged
merged 3 commits into from
Oct 20, 2021
Merged

Ensure correct SSH permissions check for private and restricted users (#17370) #17373

merged 3 commits into from
Oct 20, 2021

Conversation

6543
Copy link
Member

@6543 6543 commented Oct 20, 2021

Backport #17370

Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath @6543
Ensure correct SSH permissions check for private and restricted users (
36a8ce6 
…go-gitea#17370)

Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix go-gitea#17364

Signed-off-by: Andrew Thornton <art27@cantab.net>
@6543 6543 added type/bug topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Oct 20, 2021
@6543 6543 added this to the 1.15.5 milestone Oct 20, 2021
@6543 6543 mentioned this pull request Oct 20, 2021
Merged
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Oct 20, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 20, 2021
@6543
Copy link
Member Author

6543 commented Oct 20, 2021

🚀

@6543 6543 merged commit 79f0b1a into go-gitea:release/v1.15 Oct 20, 2021
@6543 6543 deleted the backport_17370 branch October 20, 2021 20:26
zeripath added a commit to zeripath/gitea that referenced this pull request Oct 21, 2021
@zeripath
Changelog 1.15.5
9ae77e1 
* SECURITY
  * Upgrade Bluemonday to v1.0.16 (go-gitea#17372) (go-gitea#17374)
  * Ensure correct SSH permissions check for private and restricted users (go-gitea#17370) (go-gitea#17373)
* BUGFIXES
  * Prevent NPE in CSV diff rendering when column removed (go-gitea#17018) (go-gitea#17377)
  * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (go-gitea#17281) (go-gitea#17376)
  * Don't panic if we fail to parse U2FRegistration data (go-gitea#17304) (go-gitea#17371)
  * Ensure popup text is aligned left (backport for 1.15) (go-gitea#17343)
  * Ensure that git daemon export ok is created for mirrors (go-gitea#17243) (go-gitea#17306)
  * Disable core.protectNTFS (go-gitea#17300) (go-gitea#17302)
  * Use pointer for wrappedConn methods (go-gitea#17295) (go-gitea#17296)
  * AutoRegistration is supposed to be working with disabled registration (backport) (go-gitea#17292)
  * Handle duplicate keys on GPG key ring (go-gitea#17242) (go-gitea#17284)
  * Fix SVG side by side comparison link (go-gitea#17375) (go-gitea#17391)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Oct 21, 2021
Merged
6543 pushed a commit that referenced this pull request Oct 21, 2021
@zeripath
Changelog 1.15.5 (#17392)
3aecea2 
* SECURITY
  * Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  * Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
* BUGFIXES
  * Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
  * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
  * Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
  * Ensure popup text is aligned left (backport for 1.15) (#17343)
  * Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
  * Disable core.protectNTFS (#17300) (#17302)
  * Use pointer for wrappedConn methods (#17295) (#17296)
  * AutoRegistration is supposed to be working with disabled registration (backport) (#17292)
  * Handle duplicate keys on GPG key ring (#17242) (#17284)
  * Fix SVG side by side comparison link (#17375) (#17391)

Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit to zeripath/gitea that referenced this pull request Oct 22, 2021
@zeripath
Changelog 1.15.5 (go-gitea#17392)
e3365ce 
Frontport go-gitea#17392

* SECURITY
  * Upgrade Bluemonday to v1.0.16 (go-gitea#17372) (go-gitea#17374)
  * Ensure correct SSH permissions check for private and restricted users (go-gitea#17370) (go-gitea#17373)
* BUGFIXES
  * Prevent NPE in CSV diff rendering when column removed (go-gitea#17018) (go-gitea#17377)
  * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (go-gitea#17281) (go-gitea#17376)
  * Don't panic if we fail to parse U2FRegistration data (go-gitea#17304) (go-gitea#17371)
  * Ensure popup text is aligned left (backport for 1.15) (go-gitea#17343)
  * Ensure that git daemon export ok is created for mirrors (go-gitea#17243) (go-gitea#17306)
  * Disable core.protectNTFS (go-gitea#17300) (go-gitea#17302)
  * Use pointer for wrappedConn methods (go-gitea#17295) (go-gitea#17296)
  * AutoRegistration is supposed to be working with disabled registration (backport) (go-gitea#17292)
  * Handle duplicate keys on GPG key ring (go-gitea#17242) (go-gitea#17284)
  * Fix SVG side by side comparison link (go-gitea#17375) (go-gitea#17391)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Oct 22, 2021
Merged
@wxiaoguang wxiaoguang mentioned this pull request Oct 24, 2021
Closed
zeripath added a commit to zeripath/gitea that referenced this pull request Oct 25, 2021
@zeripath
Prevent panic in serv.go with Deploy Keys
931965c 
Unfortunately there was a regression in go-gitea#17373 which missed that the user is not
for deploy keys. This leads to a panic when pushing with deploy keys.

Fix go-gitea#17412

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Oct 25, 2021
Merged
zeripath added a commit to zeripath/gitea that referenced this pull request Oct 25, 2021
@zeripath
Prevent panic in serv.go with Deploy Keys (go-gitea#17434)
fcfe5a6 
Backport go-gitea#17434

Unfortunately there was a regression in go-gitea#17373 which missed that the user is not
for deploy keys. This leads to a panic when pushing with deploy keys.

Fix go-gitea#17412

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Oct 25, 2021
Merged
6543 pushed a commit that referenced this pull request Oct 25, 2021
@zeripath
Prevent panic in serv.go with Deploy Keys (#17434)
849356d 
Unfortunately there was a regression in #17373 which missed that the user is not
for deploy keys. This leads to a panic when pushing with deploy keys.

Fix #17412

Signed-off-by: Andrew Thornton <art27@cantab.net>
6543 pushed a commit that referenced this pull request Oct 25, 2021
@zeripath
Prevent panic in serv.go with Deploy Keys (#17434) (#17435)
dd1ba34 
Backport #17434

Unfortunately there was a regression in #17373 which missed that the user is not
for deploy keys. This leads to a panic when pushing with deploy keys.

Fix #17412

Signed-off-by: Andrew Thornton <art27@cantab.net>
Chianina pushed a commit to Chianina/gitea that referenced this pull request Mar 28, 2022
@zeripath
Prevent panic in serv.go with Deploy Keys (go-gitea#17434)
66a032d 
Unfortunately there was a regression in go-gitea#17373 which missed that the user is not
for deploy keys. This leads to a panic when pushing with deploy keys.

Fix go-gitea#17412

Signed-off-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jolheiser jolheiser jolheiser approved these changes

@zeripath zeripath zeripath approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.15.5
Development

Successfully merging this pull request may close these issues.
4 participants
@6543 @zeripath @jolheiser @GiteaBot