Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dont leak private users via extensions #28023

Merged
merged 2 commits into from
Nov 13, 2023
Merged

Dont leak private users via extensions #28023

merged 2 commits into from
Nov 13, 2023

Conversation

6543
Copy link
Member

@6543 6543 commented Nov 13, 2023

there was no check in place if a user could see a other user, if you append e.g. .rss

@6543 6543 added type/bug backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Nov 13, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 13, 2023
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 13, 2023
delvh
delvh reviewed Nov 13, 2023
View reviewed changes
routers/web/user/home.go Outdated Show resolved Hide resolved
@6543 @delvh
Update routers/web/user/home.go
6c374b8 
Co-authored-by: delvh <dev.lh@web.de>
@6543 6543 requested a review from delvh November 13, 2023 19:14
@6543 6543 added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Nov 13, 2023
@6543 6543 mentioned this pull request Nov 13, 2023
Merged
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 13, 2023
@6543 6543 requested a review from a team November 13, 2023 20:27
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 13, 2023
@jolheiser jolheiser merged commit c636608 into go-gitea:main Nov 13, 2023
25 checks passed
@jolheiser jolheiser deleted the dont-leak-private-users-via-extensions branch November 13, 2023 22:30
@GiteaBot GiteaBot added this to the 1.22.0 milestone Nov 13, 2023
@GiteaBot GiteaBot mentioned this pull request Nov 13, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Nov 13, 2023
@6543 @GiteaBot
Dont leak private users via extensions (go-gitea#28023)
b446378
@GiteaBot GiteaBot mentioned this pull request Nov 13, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Nov 13, 2023
@6543 @GiteaBot
Dont leak private users via extensions (go-gitea#28023)
34e22fd
6543 pushed a commit that referenced this pull request Nov 13, 2023
@GiteaBot
Dont leak private users via extensions (#28023) (#28029)
eef4148 
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`
6543 pushed a commit that referenced this pull request Nov 13, 2023
@GiteaBot
Dont leak private users via extensions (#28023) (#28028)
69ea554 
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`
@GiteaBot
Copy link
Contributor

I was unable to create a backport for 1.20. @6543, please send one manually. 🍵

go run ./contrib/backport 28023
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Nov 13, 2023
@GiteaBot
Copy link
Contributor

I was unable to create a backport for 1.21. @6543, please send one manually. 🍵

go run ./contrib/backport 28023
...  // fix git conflicts if any
go run ./contrib/backport --continue

@6543
Copy link
Member Author

6543 commented Nov 13, 2023

yes because it already got merged 😆

@lunny lunny added the backport/done All backports for this PR have been created label Nov 14, 2023
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 14, 2023
@zjjhot
Merge remote-tracking branch 'upstream/main'
4c78dfc 
* upstream/main:
  fixed duplicate attachments on dump on windows (go-gitea#28019)
  [skip ci] Updated translations via Crowdin
  packages: Calculate package size quota using package creator ID instead of owner ID (go-gitea#28007)
  Dont leak private users via extensions (go-gitea#28023)
  Improve profile for Organizations (go-gitea#27982)
  Enable system users search via the API (go-gitea#28013)
  Enable system users for comment.LoadPoster (go-gitea#28014)
  Change default size of issue/pr attachments and repo file (go-gitea#27946)
  Fix missing mail reply address (go-gitea#27997)
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this pull request Jan 17, 2024
@6543 @fuxiaohei
Dont leak private users via extensions (go-gitea#28023)
076d08b
@wxiaoguang wxiaoguang mentioned this pull request Jan 22, 2024
Open
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Feb 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@delvh delvh delvh approved these changes

@denyskon denyskon denyskon approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
6 participants
@6543 @GiteaBot @denyskon @delvh @lunny @jolheiser