Home Explore
Register Sign In
Endevir
/
git-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

repo: disallow urlencoded new lines in git protocol paths (#6420)

Co-authored-by: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
stypr 4 years ago
parent
c7f58ca870
commit
cd469f7a1d
2 changed files with 6 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      CHANGELOG.md
  2. 4 0
      internal/form/repo.go

+ 2 - 0
CHANGELOG.md
View File 

@@ -18,6 +18,8 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
 
 - Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) 
+- [Security] Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413)
 
+
 
 
 ### Removed

+ 4 - 0
internal/form/repo.go
View File 

@@ -72,6 +72,10 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 
 		if len(f.AuthUsername)+len(f.AuthPassword) > 0 {
 
 			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
 
 		}
 
+		// To prevent CRLF injection in git protocol, see https://github.com/gogs/gogs/issues/6413
 
+		if u.Scheme == "git" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
 
+			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 
+		}
 
 		remoteAddr = u.String()
 
 	} else if !user.CanImportLocal() {
 
 		return "", db.ErrInvalidCloneAddr{IsPermissionDenied: true}