Skip to content

Since 1.15.0, downloading a release attachment using Basic auth redirect to login #16914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 of 6 tasks
kenji21 opened this issue Sep 1, 2021 · 5 comments · Fixed by #16916
Closed
2 of 6 tasks

Since 1.15.0, downloading a release attachment using Basic auth redirect to login #16914

kenji21 opened this issue Sep 1, 2021 · 5 comments · Fixed by #16916
Labels
issue/regression Indicates a previously functioning feature or behavior that has broken or regressed after a change
Milestone
1.15.1

Comments

@kenji21
Copy link

kenji21 commented Sep 1, 2021

  • Gitea version (or commit ref): 1.15.0
  • Git version: 2.20.1
  • Operating system: Debian 10 (running from systemd)
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No (needs a private repo)
  • Log gist:
Sep  1 12:37:04 gitea gitea[25215]: 2021/09/01 12:37:04 Started GET /:owner/:repo/releases/download/:tag/some.zip for REDACTED_IP:0
Sep  1 12:37:04 gitea gitea[25215]: 2021/09/01 12:37:04 Completed GET /:owner/:repo/releases/download/:tag/some.zip 302 Found in 349.553µs
Sep  1 12:37:04 gitea gitea[25215]: 2021/09/01 12:37:04 Started GET /user/login for REDACTED_IP:0
Sep  1 12:37:04 gitea gitea[25215]: 2021/09/01 12:37:04 Completed GET /user/login 200 OK in 4.64655ms

Description

We used to download release zip (using ansible), since 1.15.0, using curl, curl --netrc --location https://instance/:owner/:repo/releases/download/:tag/some.zip redirects to /user/login instead of the attachment

so we have the html page instead of the zip content

Note that getting a file from the repo, for exemple curl --netrc --location https://instance/:owner/:repo/raw/branch/develop/Jenkinsfile works well, so definitively not a auth error
Didn't get this issue with 1.14.6 (nor with previous versions)
@kenji21
Copy link
Author

kenji21 commented Sep 1, 2021

Tried to downgrade to 1.14.6, but, log shows it isn't a good idea:

Downgrading database version from '189' to '178' is not supported and may result in loss of data integrity.
If you really know what you're doing, execute `UPDATE version SET version=178 WHERE id=1;

@zeripath
Copy link
Contributor

zeripath commented Sep 1, 2021

Ah, so we now no longer allow BASIC authentication to get to UI urls. Whilst #15987 added support for raw - no one has reported that releases also need to allow BASIC authentication.

A workaround is to use api paths for these.

As this change was not intended to be breaking I suspect we should add another PR like #15987.

zeripath added a commit to zeripath/gitea that referenced this issue Sep 1, 2021
@zeripath
Allow BASIC authentication access to /:owner/:repo/releases/download/*
983115b 
Duplicate go-gitea#15987 to allow access to releases download through BASIC authentication.

Fix go-gitea#16914

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this issue Sep 1, 2021
Merged
@zeripath
Copy link
Contributor

zeripath commented Sep 1, 2021

Please could you confirm which urls you need to be able to access through BASIC auth

@kenji21
Copy link
Author

kenji21 commented Sep 2, 2021

All files that are uploaded on a release (we only upload one zip, often named build.zip or dist.zip, but maybe other users upload more files/kind of files), so I think only of: https://instance/:owner/:repo/releases/download/:tag/build.zip

@lunny lunny added the issue/regression Indicates a previously functioning feature or behavior that has broken or regressed after a change label Sep 2, 2021
@lunny lunny added this to the 1.15.1 milestone Sep 2, 2021
zeripath added a commit that referenced this issue Sep 2, 2021
@zeripath
Allow BASIC authentication access to /:owner/:repo/releases/download/* (
a75b2f2 
#16916)

Duplicate #15987 to allow access to releases download through BASIC authentication.

Fix #16914

Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit to zeripath/gitea that referenced this issue Sep 2, 2021
@zeripath
Allow BASIC authentication access to /:owner/:repo/releases/download/* (
dcc5d1a 
go-gitea#16916)

Backport go-gitea#16916

Duplicate go-gitea#15987 to allow access to releases download through BASIC authentication.

Fix go-gitea#16914

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this issue Sep 2, 2021
Merged
techknowlogick pushed a commit that referenced this issue Sep 2, 2021
@zeripath
Allow BASIC authentication access to /:owner/:repo/releases/download/* (
ceae89c 
#16916) (#16923)

Backport #16916

Duplicate #15987 to allow access to releases download through BASIC authentication.

Fix #16914

Signed-off-by: Andrew Thornton <art27@cantab.net>
@kenji21
Copy link
Author

kenji21 commented Sep 2, 2021
edited
Loading

❤️

1.15.1 deployed, I can confirm this bug is fixed

@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/regression Indicates a previously functioning feature or behavior that has broken or regressed after a change
Projects
None yet
Milestone
1.15.1
Development

Successfully merging a pull request may close this issue.

Allow BASIC authentication access to /:owner/:repo/releases/download/* zeripath/gitea
3 participants
@lunny @kenji21 @zeripath