mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-26 12:01:08 +00:00 
			
		
		
		
	Use shellquote to unpack arguments to gitea serv (#12624)
Fix #12471 Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
		
					parent
					
						
							
								274f9233ab
							
						
					
				
			
			
				commit
				
					
						7ba6fea0b7
					
				
			
		
					 1 changed files with 18 additions and 15 deletions
				
			
		
							
								
								
									
										33
									
								
								cmd/serv.go
									
										
									
									
									
								
							
							
						
						
									
										33
									
								
								cmd/serv.go
									
										
									
									
									
								
							|  | @ -25,6 +25,7 @@ import ( | ||||||
| 	"code.gitea.io/gitea/modules/setting" | 	"code.gitea.io/gitea/modules/setting" | ||||||
| 
 | 
 | ||||||
| 	"github.com/dgrijalva/jwt-go" | 	"github.com/dgrijalva/jwt-go" | ||||||
|  | 	"github.com/kballard/go-shellquote" | ||||||
| 	"github.com/unknwon/com" | 	"github.com/unknwon/com" | ||||||
| 	"github.com/urfave/cli" | 	"github.com/urfave/cli" | ||||||
| ) | ) | ||||||
|  | @ -59,14 +60,6 @@ func setup(logPath string, debug bool) { | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func parseCmd(cmd string) (string, string) { |  | ||||||
| 	ss := strings.SplitN(cmd, " ", 2) |  | ||||||
| 	if len(ss) != 2 { |  | ||||||
| 		return "", "" |  | ||||||
| 	} |  | ||||||
| 	return ss[0], strings.Replace(ss[1], "'/", "'", 1) |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| var ( | var ( | ||||||
| 	allowedCommands = map[string]models.AccessMode{ | 	allowedCommands = map[string]models.AccessMode{ | ||||||
| 		"git-upload-pack":    models.AccessModeRead, | 		"git-upload-pack":    models.AccessModeRead, | ||||||
|  | @ -126,7 +119,20 @@ func runServ(c *cli.Context) error { | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	verb, args := parseCmd(cmd) | 	words, err := shellquote.Split(cmd) | ||||||
|  | 	if err != nil { | ||||||
|  | 		fail("Error parsing arguments", "Failed to parse arguments: %v", err) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if len(words) < 2 { | ||||||
|  | 		fail("Too few arguments", "Too few arguments in cmd: %s", cmd) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	verb := words[0] | ||||||
|  | 	repoPath := words[1] | ||||||
|  | 	if repoPath[0] == '/' { | ||||||
|  | 		repoPath = repoPath[1:] | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	var lfsVerb string | 	var lfsVerb string | ||||||
| 	if verb == lfsAuthenticateVerb { | 	if verb == lfsAuthenticateVerb { | ||||||
|  | @ -134,17 +140,14 @@ func runServ(c *cli.Context) error { | ||||||
| 			fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled") | 			fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled") | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
| 		argsSplit := strings.Split(args, " ") | 		if len(words) > 2 { | ||||||
| 		if len(argsSplit) >= 2 { | 			lfsVerb = words[2] | ||||||
| 			args = strings.TrimSpace(argsSplit[0]) |  | ||||||
| 			lfsVerb = strings.TrimSpace(argsSplit[1]) |  | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	repoPath := strings.ToLower(strings.Trim(args, "'")) |  | ||||||
| 	rr := strings.SplitN(repoPath, "/", 2) | 	rr := strings.SplitN(repoPath, "/", 2) | ||||||
| 	if len(rr) != 2 { | 	if len(rr) != 2 { | ||||||
| 		fail("Invalid repository path", "Invalid repository path: %v", args) | 		fail("Invalid repository path", "Invalid repository path: %v", repoPath) | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	username := strings.ToLower(rr[0]) | 	username := strings.ToLower(rr[0]) | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue