finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Use CleanPath instead of path.Clean (#23371)

Browse source 
As title.
This commit is contained in:
Lunny Xiao 2023-03-08 20:17:39 +08:00 committed by GitHub
parent 090e753923
commit b116418f05
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 45 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

4
services/migrations/gitea_uploader.go
View file

@ -9,7 +9,6 @@ import (
"fmt"
"io"
"os"
"path"
"path/filepath"
"strconv"
"strings"
@ -30,6 +29,7 @@ import (
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/uri"
"code.gitea.io/gitea/modules/util"
"code.gitea.io/gitea/services/pull"
"github.com/google/uuid"
@ -866,7 +866,7 @@ func (g *GiteaLocalUploader) CreateReviews(reviews ...*base.Review) error {
}
// SECURITY: The TreePath must be cleaned!
comment.TreePath = path.Clean("/" + comment.TreePath)[1:]
comment.TreePath = util.CleanPath(comment.TreePath)
var patch string
reader, writer := io.Pipe()

4
services/packages/container/blob_uploader.go
View file

@ -8,13 +8,13 @@ import (
"errors"
"io"
"os"
"path"
"path/filepath"
"strings"
packages_model "code.gitea.io/gitea/models/packages"
packages_module "code.gitea.io/gitea/modules/packages"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"
)
var (
@ -33,7 +33,7 @@ type BlobUploader struct {
}
func buildFilePath(id string) string {
return filepath.Join(setting.Packages.ChunkedUploadPath, path.Clean("/" + strings.ReplaceAll(id, "\\", "/"))[1:])
return filepath.Join(setting.Packages.ChunkedUploadPath, util.CleanPath(strings.ReplaceAll(id, "\\", "/")))
}
// NewBlobUploader creates a new blob uploader for the given id

4
services/repository/files/file.go
View file

@ -7,7 +7,6 @@ import (
"context"
"fmt"
"net/url"
"path"
"strings"
"time"
@ -15,6 +14,7 @@ import (
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/util"
)
// GetFileResponseFromCommit Constructs a FileResponse from a Commit object
@ -129,7 +129,7 @@ func GetAuthorAndCommitterUsers(author, committer *IdentityOptions, doer *user_m
// CleanUploadFileName Trims a filename and returns empty string if it is a .git directory
func CleanUploadFileName(name string) string {
// Rebase the filename
name = strings.Trim(path.Clean("/"+name), "/")
name = strings.Trim(util.CleanPath(name), "/")
// Git disallows any filenames to have a .git directory in them.
for _, part := range strings.Split(name, "/") {
if strings.ToLower(part) == ".git" {