[GITEA] fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers (cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7) (cherry picked from commit 2d9d2979e6) (cherry picked from commit 6483bceee2) (cherry picked from commit 589d10a181)
2025-11-04 00:11:04 +00:00 · 2023-11-20 16:34:19 +01:00 · 2023-11-20 16:34:19 +01:00 · d9da20aa9a
commit d9da20aa9a
parent f15a2c558a
1 changed files with 4 additions and 0 deletions
--- a/routers/web/repo/issue_pin.go
+++ b/routers/web/repo/issue_pin.go
@ -89,6 +89,10 @@ func IssuePinMove(ctx *context.Context) {
 		log.Error(err.Error())
 		return
 	}
+	if issue.RepoID != ctx.Repo.Repository.ID {
+		ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
+		return
+	}

 	err = issue.MovePin(ctx, form.Position)
 	if err != nil {