Skip to content

Fix http protocol auth #27875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 2, 2023
Merged

Fix http protocol auth #27875

merged 4 commits into from
Nov 2, 2023

Conversation

lunny
Copy link
Member

@lunny lunny commented Nov 2, 2023

No description provided.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 2, 2023
@lunny lunny added type/bug backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Nov 2, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 2, 2023
@delvh delvh added type/refactoring Existing code has been cleaned up. There should be no new functionality. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 2, 2023
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Nov 2, 2023
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 2, 2023
@lunny lunny merged commit 0ba4ecc into go-gitea:main Nov 2, 2023
@GiteaBot GiteaBot added this to the 1.22.0 milestone Nov 2, 2023
@lunny lunny deleted the lunny/fix_http_protocol_auth branch November 2, 2023 14:14
@GiteaBot
Copy link
Collaborator

GiteaBot commented Nov 2, 2023

I was unable to create a backport for 1.20. @lunny, please send one manually. 🍵

go run ./contrib/backport 27875
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Nov 2, 2023
@GiteaBot GiteaBot mentioned this pull request Nov 2, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Nov 2, 2023
@lunny @GiteaBot
Fix http protocol auth (go-gitea#27875)
ea17ff8
silverwind pushed a commit that referenced this pull request Nov 2, 2023
@GiteaBot @lunny
Fix http protocol auth (#27875) (#27876)
9ca1853 
Backport #27875 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@lunny lunny added the backport/done All backports for this PR have been created label Nov 2, 2023
lunny added a commit to lunny/gitea that referenced this pull request Nov 2, 2023
@lunny
Fix http protocol auth (go-gitea#27875)
d6b659c
@lunny lunny mentioned this pull request Nov 2, 2023
Merged
silverwind pushed a commit that referenced this pull request Nov 2, 2023
@lunny
Fix http protocol auth (#27875) (#27878)
1dedf9b 
backport #27875
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 3, 2023
@zjjhot
Merge remote-tracking branch 'upstream/main'
23448c7 
* upstream/main:
  Refactor Find Sources and fix bug when view a user who belongs to an unactive auth source (go-gitea#27798)
  [skip ci] Updated translations via Crowdin
  Add `Hide/Show all checks` button to commit status check (go-gitea#26284)
  Fix http protocol auth (go-gitea#27875)
  Display issue task list on project cards (go-gitea#27865)
  Reduce margin/padding on flex-list items and divider (go-gitea#27872)
@lng2020 lng2020 removed the backport/manual No power to the bots! Create your backport yourself! label Nov 12, 2023
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this pull request Jan 17, 2024
@lunny @fuxiaohei
Fix http protocol auth (go-gitea#27875)
80d1d14
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jan 31, 2024
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Mar 26, 2025
edited
Loading

Do you have ideas why the code was copied to the middleware before the redirection handling?

@lunny
Copy link
Member Author

lunny commented Mar 27, 2025

Do you have ideas why the code was copied to the middleware before the redirection handling?

This addresses a potential security issue where unauthorized users could be redirected to the renamed repository URL. As a result, a malicious Git client could infer the existence of private repositories.

@wxiaoguang
Copy link
Contributor

It seems quite trivial and not a real security problem ......

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@delvh delvh delvh approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug type/refactoring Existing code has been cleaned up. There should be no new functionality.
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
6 participants
@lunny @GiteaBot @wxiaoguang @silverwind @delvh @lng2020