Disallow urlencoded new lines in git protocol paths if there is a port (

go-gitea#13521) (go-gitea#13524) Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
lunny · Nov 11, 2020 · 122f8f8 · 122f8f8
1 parent 1f72656
commit 122f8f8
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
@@ -102,6 +102,9 @@ func ParseRemoteAddr(remoteAddr, authUsername, authPassword string, user *models
 			u.User = url.UserPassword(authUsername, authPassword)
 		}
 		remoteAddr = u.String()
+		if u.Scheme == "git" && u.Port() != "" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+			return "", models.ErrInvalidCloneAddr{IsURLError: true}
+		}
 	} else if !user.CanImportLocal() {
 		return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true}
 	} else if !com.IsDir(remoteAddr) {