Disallow urlencoded new lines in git protocol paths if there is a port (

go-gitea#13521) Signed-off-by: Andrew Thornton <art27@cantab.net>
6543-forks · Nov 11, 2020 · 679efbd · 679efbd
1 parent 4a71d4d
commit 679efbd
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
@@ -97,6 +97,9 @@ func (f MigrateRepoForm) ParseRemoteAddr(user *models.User) (string, error) {
 			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
 		}
 		remoteAddr = u.String()
+		if u.Scheme == "git" && u.Port() != "" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+			return "", models.ErrInvalidCloneAddr{IsURLError: true}
+		}
 	} else if !user.CanImportLocal() {
 		return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true}
 	} else if !com.IsDir(remoteAddr) {