Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blacklist manifest.json, milestones user #10290

Closed
2 of 7 tasks
SuperSandro2000 opened this issue Feb 16, 2020 · 0 comments · Fixed by #10292
Closed
2 of 7 tasks

Blacklist manifest.json, milestones user #10290

SuperSandro2000 opened this issue Feb 16, 2020 · 0 comments · Fixed by #10292
Labels
type/bug
Milestone
1.11.1

Comments

@SuperSandro2000
Copy link
Contributor

SuperSandro2000 commented Feb 16, 2020
edited
Loading

  • Gitea version (or commit ref): 1.11.0
  • Git version: not relevant
  • Operating system: Docker
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
  • Log gist:

Description

The username manifest.json should be blacklisted cause the user can't access his profile. He shouldn't be able to send malicious data to users as they should not check subdirectories of a file.

The username milestones should be blacklisted cause the user can't access his profile. He shouldn't be able to abuse this as long as they milestone tab does not use any sort of subdirectory in the future.
@SuperSandro2000 SuperSandro2000 changed the title Blacklist manifest.json user Blacklist manifest.json, milestones user Feb 16, 2020
techknowlogick added a commit to techknowlogick/gitea that referenced this issue Feb 16, 2020
@techknowlogick
Blacklist manifest.json & milestones user
cc2a972 
Fix go-gitea#10290
@techknowlogick techknowlogick mentioned this issue Feb 16, 2020
Merged
@lunny lunny added the type/bug label Feb 16, 2020
@lunny lunny added this to the 1.11.1 milestone Feb 16, 2020
techknowlogick added a commit that referenced this issue Feb 16, 2020
@techknowlogick
Blacklist manifest.json & milestones user (#10292)
c0bc987 
Fix #10290
zeripath pushed a commit to zeripath/gitea that referenced this issue Feb 16, 2020
@techknowlogick @zeripath
Blacklist manifest.json & milestones user (go-gitea#10292)
36a09b3 
Fix go-gitea#10290
@zeripath zeripath mentioned this issue Feb 16, 2020
Merged
lafriks pushed a commit that referenced this issue Feb 16, 2020
@zeripath @techknowlogick
Blacklist manifest.json & milestones user (#10292) (#10293)
f9e66e5 
Fix #10290

Co-authored-by: techknowlogick <matti@mdranta.net>
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.11.1
Development

Successfully merging a pull request may close this issue.

Blacklist manifest.json & milestones user techknowlogick/gitea
2 participants
@lunny @SuperSandro2000