gitea/modules at bab7d885aa675f33573092f9ea0f081473dc517c - gitea - iGNUranza Git

MarcoBuster/gitea

mirror of https://github.com/go-gitea/gitea synced 2025-01-24 15:37:45 +01:00

History

zeripath e3d8e92bdc

Prevent redirect to Host (2) (#19175 ) (#19186 )

Backport #19175

Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>

2022-03-23 20:01:23 +00:00

..

Create pub/priv keypair for federation (#17071 )

2021-09-28 15:19:22 -04:00

Use git attributes to determine generated and vendored status for language stats and diffs (#16773 )

2021-09-09 21:13:36 +01:00

Decouple unit test code from business code (#17623 )

2021-11-12 22:36:47 +08:00

fix pam authorization (#19040 ) (#19047 )

2022-03-10 08:15:35 +00:00

Fix various typos (#18219 )

2022-01-10 17:32:37 +08:00

Simplify parameter types (#18006 )

2021-12-20 04:41:31 +00:00

Test cache during init (#17852 )

2021-12-06 00:24:57 +08:00

Don't treat BOM escape sequence as hidden character. (#18909 ) (#18910 )

2022-02-26 23:15:04 +01:00

Prevent redirect to Host (2) (#19175 ) (#19186 )

2022-03-23 20:01:23 +00:00

Add MirrorUpdated field to Repository API type (#18267 )

2022-01-18 13:18:30 +00:00

Fix various typos (#18219 )

2022-01-10 17:32:37 +08:00

Fix various typos (#18219 )

2022-01-10 17:32:37 +08:00

Run processors on whole of text (#16155 )

2021-06-17 11:35:05 +01:00

Simplify parameter types (#18006 )

2021-12-20 04:41:31 +00:00

Support webauthn (#17957 )

2022-01-14 16:03:31 +01:00

Make migrations SKIP_TLS_VERIFY apply to git too (#19132 ) (#19141 )

2022-03-19 16:20:26 +00:00

Collaborator trust model should trust collaborators (#18539 ) (#18557 )

2022-02-03 11:20:37 -05:00

Immediately Hammer if second kill is sent (#18823 ) (#18826 )

2022-02-20 01:37:52 +08:00

hCaptcha Support (#12594 )

2020-10-02 23:37:53 -04:00

Bump to build with go1.18 (#19120 et al) (#19127 )

2022-03-19 18:46:47 +01:00

Bump to build with go1.18 (#19120 et al) (#19127 )

2022-03-19 18:46:47 +01:00

Use a variable but a function for IsProd because of a slight performance increment (#17368 )

2021-10-20 16:37:19 +02:00

refactor: move from io/ioutil to io and os package (#17109 )

2021-09-22 13:38:34 +08:00

Upgrade bleve from v2.0.6 to v2.3.0 (#18132 )

2022-01-01 16:26:27 +08:00

Move repository model into models/repo (#17933 )

2021-12-10 09:27:50 +08:00

Improve SyncMirrors logging (#19045 ) (#19050 )

2022-03-10 16:06:35 +01:00

Simplify parameter types (#18006 )

2021-12-20 04:41:31 +00:00

Bump to build with go1.18 (#19120 et al) (#19127 )

2022-03-19 18:46:47 +01:00

Refactor auth package (#17962 )

2022-01-02 21:12:35 +08:00

Fix various typos (#18219 )

2022-01-10 17:32:37 +08:00

Adjust error for already locked db and prevent level db lock on malformed connstr (#18923 ) (#18938 )

2022-02-28 15:45:38 +00:00

Fix problem when self-assign notification (#18797 ) (#18976 )

2022-03-02 20:11:55 +00:00

Remove golang vendored directory (#18277 )

2022-01-14 18:16:05 -05:00

Fixed assert statements. (#16089 )

2021-06-07 07:27:09 +02:00

refactor: move from io/ioutil to io and os package (#17109 )

2021-09-22 13:38:34 +08:00

Fix the bug: deploy key with write access can not push (#19010 ) (#19182 )

2022-03-23 13:44:41 +00:00

Fix various typos (#18219 )

2022-01-10 17:32:37 +08:00

Return nil proxy function if proxy not enabled (#16742 )

2021-08-19 16:41:20 -04:00

Fix mime-type detection for HTTP server (#18371 )

2022-01-23 21:17:20 +08:00

In disk_channel queues synchronously push to disk on shutdown (#18415 ) (#18788 )

2022-02-22 20:08:35 +08:00

refactor: move from io/ioutil to io and os package (#17109 )

2021-09-22 13:38:34 +08:00

Add API to get issue/pull comments and events (timeline) (#17403 )

2022-01-01 22:12:25 +08:00

Make migrations SKIP_TLS_VERIFY apply to git too (#19132 ) (#19141 )

2022-03-19 16:20:26 +00:00

Simplify parameter types (#18006 )

2021-12-20 04:41:31 +00:00

Refactor auth package (#17962 )

2022-01-02 21:12:35 +08:00

Ensure that setting.LocalURL always has a trailing slash (#19171 ) (#19177 )

2022-03-23 12:56:52 +08:00

Update golang.org/x/crypto (#19097 ) (#19098 )

2022-03-19 12:16:15 +00:00

Clean paths when looking in Storage (#19124 ) (#19179 )

2022-03-23 09:23:00 +00:00

Add MirrorUpdated field to Repository API type (#18267 )

2022-01-18 13:18:30 +00:00

refactor: move from io/ioutil to io and os package (#17109 )

2021-09-22 13:38:34 +08:00

Fix missing unlock in uniquequeue (#9790 )

2020-01-15 23:58:33 +02:00

Prevent start panic due to missing DotEscape function

2022-03-23 16:09:57 +00:00

Unify and simplify TrN for i18n (#18141 )

2022-01-02 04:33:57 +01:00

Don't store assets modified time into generated files (#18193 )

2022-01-06 21:33:17 -05:00

Sort locales according to their names (#18211 )

2022-01-08 12:18:39 +00:00

Read expected buffer size (#17409 )

2021-10-24 22:12:43 +01:00

Fix various typos (#18219 )

2022-01-10 17:32:37 +08:00

Simplify parameter types (#18006 )

2021-12-20 04:41:31 +00:00

Prevent NPE if gitea uploader fails to open url (#18080 )

2021-12-23 16:27:33 +00:00

Add gitea-vet (#10948 )

2020-04-05 07:20:50 +01:00

Cleanup protected branches when deleting users & teams (#19158 ) (#19174 )

2022-03-23 13:56:53 +08:00

Upgrade chi to v5 (#17298 )

2021-10-13 22:50:23 -04:00

Simplify parameter types (#18006 )

2021-12-20 04:41:31 +00:00