Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Local storage should not store files as executable #22162

Conversation

zeripath
Copy link
Contributor

The PR #21198 introduced a probable security vulnerability which resulted in making all storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix #22161

Signed-off-by: Andrew Thornton art27@cantab.net

The PR go-gitea#21198 introduced a probable security vulnerability which resulted in making all
storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix go-gitea#22161

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added type/bug issue/regression Indicates a previously functioning feature or behavior that has broken or regressed after a change outdated/backport/v1.18 This PR should be backported to Gitea 1.18 labels Dec 18, 2022
@zeripath zeripath added this to the 1.19.0 milestone Dec 18, 2022
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 18, 2022
Backport go-gitea#22162

The PR go-gitea#21198 introduced a probable security vulnerability which resulted in making all
storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix go-gitea#22161

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added the backport/done All backports for this PR have been created label Dec 18, 2022
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 18, 2022
@Izorkin
Copy link

Izorkin commented Dec 18, 2022

This PR fixed my problem. Thanks.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 18, 2022
lafriks pushed a commit that referenced this pull request Dec 18, 2022
Backport #22162

The PR #21198 introduced a probable security vulnerability which
resulted in making all storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix #22161

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 19, 2022
@lunny lunny merged commit a89b399 into go-gitea:main Dec 19, 2022
@zeripath zeripath deleted the fix-22161-no-storage-these-things-should-not-be-executable branch December 19, 2022 13:15
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created issue/regression Indicates a previously functioning feature or behavior that has broken or regressed after a change lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. outdated/backport/v1.18 This PR should be backported to Gitea 1.18 type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Gitea grants 0750 rights to uploaded avatars
5 participants