mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-25 09:12:48 +01:00
models/release: filter input to prevent command line argument vulnerability
This commit is contained in:
parent
3df8eb60e3
commit
0a78d99a4d
7 changed files with 11 additions and 128 deletions
|
@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
|
||||||
|
|
||||||
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
||||||
|
|
||||||
##### Current version: 0.9.23
|
##### Current version: 0.9.24
|
||||||
|
|
||||||
| Web | UI | Preview |
|
| Web | UI | Preview |
|
||||||
|:-------------:|:-------:|:-------:|
|
|:-------------:|:-------:|:-------:|
|
||||||
|
|
|
@ -23,6 +23,7 @@ Dmitriy Nogay <me AT catwhocode DOT ga>
|
||||||
Enrico Testori hypertesto AT gmail DOT com
|
Enrico Testori hypertesto AT gmail DOT com
|
||||||
Ezequiel Gonzalez Rial <gonrial AT gmail DOT com>
|
Ezequiel Gonzalez Rial <gonrial AT gmail DOT com>
|
||||||
Gregor Santner <gdev AT live DOT de>
|
Gregor Santner <gdev AT live DOT de>
|
||||||
|
Halil Kaya <halil AT halilkaya DOT net>
|
||||||
Hamid Feizabadi <hamidfzm AT gmail DOT com>
|
Hamid Feizabadi <hamidfzm AT gmail DOT com>
|
||||||
Huimin Wang <wanghm2009 AT hotmail DOT co DOT jp>
|
Huimin Wang <wanghm2009 AT hotmail DOT co DOT jp>
|
||||||
ilko <kontact-mr.k AT outlook DOT com">
|
ilko <kontact-mr.k AT outlook DOT com">
|
||||||
|
|
2
gogs.go
2
gogs.go
|
@ -17,7 +17,7 @@ import (
|
||||||
"github.com/gogits/gogs/modules/setting"
|
"github.com/gogits/gogs/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
const APP_VER = "0.9.23.0426"
|
const APP_VER = "0.9.25.0506"
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
runtime.GOMAXPROCS(runtime.NumCPU())
|
runtime.GOMAXPROCS(runtime.NumCPU())
|
||||||
|
|
|
@ -546,9 +546,9 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
|
||||||
sess.Desc("created_unix")
|
sess.Desc("created_unix")
|
||||||
}
|
}
|
||||||
|
|
||||||
if opts.Labels != "0" {
|
if len(opts.Labels) > 0 && opts.Labels != "0" {
|
||||||
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
||||||
if opts.Labels != "" && len(labelIDs) > 0 {
|
if len(labelIDs) > 0 {
|
||||||
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("label_id", labelIDs)
|
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("label_id", labelIDs)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -785,9 +785,9 @@ func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
|
||||||
countSession := func(opts *IssueStatsOptions) *xorm.Session {
|
countSession := func(opts *IssueStatsOptions) *xorm.Session {
|
||||||
sess := x.Where("issue.repo_id = ?", opts.RepoID).And("is_pull = ?", opts.IsPull)
|
sess := x.Where("issue.repo_id = ?", opts.RepoID).And("is_pull = ?", opts.IsPull)
|
||||||
|
|
||||||
if opts.Labels != "0" {
|
if len(opts.Labels) > 0 && opts.Labels != "0" {
|
||||||
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
||||||
if opts.Labels != "" && len(labelIDs) > 0 {
|
if len(labelIDs) > 0 {
|
||||||
sess.Join("INNER", "issue_label", "issue.id = issue_id").In("label_id", labelIDs)
|
sess.Join("INNER", "issue_label", "issue.id = issue_id").In("label_id", labelIDs)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -67,6 +67,8 @@ func createTag(gitRepo *git.Repository, rel *Release) error {
|
||||||
return fmt.Errorf("GetBranchCommit: %v", err)
|
return fmt.Errorf("GetBranchCommit: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Trim '--' prefix to prevent command line argument vulnerability
|
||||||
|
rel.TagName = strings.TrimPrefix(rel.TagName, "--")
|
||||||
if err = gitRepo.CreateTag(rel.TagName, commit.ID.String()); err != nil {
|
if err = gitRepo.CreateTag(rel.TagName, commit.ID.String()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -431,126 +431,6 @@
|
||||||
"strictImports": 0,
|
"strictImports": 0,
|
||||||
"strictMath": 0,
|
"strictMath": 0,
|
||||||
"strictUnits": 0
|
"strictUnits": 0
|
||||||
},
|
|
||||||
"\/plugins\/dropzone-4.2.0\/dropzone.css": {
|
|
||||||
"fileType": 16,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/dropzone-4.2.0\/dropzone.css",
|
|
||||||
"outputAbbreviatedPath": "No Output Path",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/dropzone-4.2.0\/dropzone.js": {
|
|
||||||
"fileType": 64,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/dropzone-4.2.0\/dropzone.js",
|
|
||||||
"outputAbbreviatedPath": "\/plugins\/dropzone-4.2.0\/min\/dropzone-min.js",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0,
|
|
||||||
"outputStyle": 1,
|
|
||||||
"syntaxCheckerStyle": 1
|
|
||||||
},
|
|
||||||
"\/plugins\/highlight-9.2.0\/default.css": {
|
|
||||||
"fileType": 16,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/default.css",
|
|
||||||
"outputAbbreviatedPath": "No Output Path",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/highlight-9.2.0\/github.css": {
|
|
||||||
"fileType": 16,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/github.css",
|
|
||||||
"outputAbbreviatedPath": "No Output Path",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/highlight-9.2.0\/highlight.pack.js": {
|
|
||||||
"fileType": 64,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/highlight.pack.js",
|
|
||||||
"outputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/min\/highlight.pack-min.js",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0,
|
|
||||||
"outputStyle": 1,
|
|
||||||
"syntaxCheckerStyle": 1
|
|
||||||
},
|
|
||||||
"\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.css": {
|
|
||||||
"fileType": 16,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.css",
|
|
||||||
"outputAbbreviatedPath": "No Output Path",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.js": {
|
|
||||||
"fileType": 64,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.js",
|
|
||||||
"outputAbbreviatedPath": "\/plugins\/jquery.datetimepicker-2.4.5\/min\/jquery.datetimepicker-min.js",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0,
|
|
||||||
"outputStyle": 1,
|
|
||||||
"syntaxCheckerStyle": 1
|
|
||||||
},
|
|
||||||
"\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.css": {
|
|
||||||
"fileType": 16,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.css",
|
|
||||||
"outputAbbreviatedPath": "No Output Path",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.min.js": {
|
|
||||||
"fileType": 64,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.min.js",
|
|
||||||
"outputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/min\/jquery.minicolors.min-min.js",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0,
|
|
||||||
"outputStyle": 1,
|
|
||||||
"syntaxCheckerStyle": 1
|
|
||||||
},
|
|
||||||
"\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.png": {
|
|
||||||
"fileType": 32768,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"initialSize": 68627,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.png",
|
|
||||||
"outputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.png",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0,
|
|
||||||
"processed": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/simplemde-1.10.1\/simplemde.min.css": {
|
|
||||||
"fileType": 16,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/simplemde-1.10.1\/simplemde.min.css",
|
|
||||||
"outputAbbreviatedPath": "No Output Path",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0
|
|
||||||
},
|
|
||||||
"\/plugins\/simplemde-1.10.1\/simplemde.min.js": {
|
|
||||||
"fileType": 64,
|
|
||||||
"ignore": 0,
|
|
||||||
"ignoreWasSetByUser": 0,
|
|
||||||
"inputAbbreviatedPath": "\/plugins\/simplemde-1.10.1\/simplemde.min.js",
|
|
||||||
"outputAbbreviatedPath": "\/plugins\/simplemde-1.10.1\/min\/simplemde.min-min.js",
|
|
||||||
"outputPathIsOutsideProject": 0,
|
|
||||||
"outputPathIsSetByUser": 0,
|
|
||||||
"outputStyle": 1,
|
|
||||||
"syntaxCheckerStyle": 1
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"hooks": [
|
"hooks": [
|
||||||
|
@ -1162,7 +1042,7 @@
|
||||||
"sassUseLibsass": 0,
|
"sassUseLibsass": 0,
|
||||||
"shouldRunAutoprefixer": 0,
|
"shouldRunAutoprefixer": 0,
|
||||||
"shouldRunBless": 0,
|
"shouldRunBless": 0,
|
||||||
"skippedItemsString": "node_modules, _logs, .hg, _cache, log, logs, cache, \/assets, \/js\/libs, .git, .svn, \/img\/emoji",
|
"skippedItemsString": "node_modules, _logs, .hg, \/plugins, _cache, log, logs, cache, \/assets, \/js\/libs, .git, .svn, \/img\/emoji",
|
||||||
"slimAutoOutputPathEnabled": 1,
|
"slimAutoOutputPathEnabled": 1,
|
||||||
"slimAutoOutputPathFilenamePattern": "*.html",
|
"slimAutoOutputPathFilenamePattern": "*.html",
|
||||||
"slimAutoOutputPathRelativePath": "",
|
"slimAutoOutputPathRelativePath": "",
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
0.9.23.0426
|
0.9.25.0506
|
Loading…
Reference in a new issue