1
1
mirror of https://github.com/go-gitea/gitea synced 2025-01-08 17:04:25 +00:00

Use shellquote to unpack arguments to gitea serv (#12624)

Fix #12471

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2020-08-28 20:55:25 +01:00 committed by GitHub
parent 274f9233ab
commit 7ba6fea0b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -25,6 +25,7 @@ import (
"code.gitea.io/gitea/modules/setting"
"github.com/dgrijalva/jwt-go"
"github.com/kballard/go-shellquote"
"github.com/unknwon/com"
"github.com/urfave/cli"
)
@ -59,14 +60,6 @@ func setup(logPath string, debug bool) {
}
}
func parseCmd(cmd string) (string, string) {
ss := strings.SplitN(cmd, " ", 2)
if len(ss) != 2 {
return "", ""
}
return ss[0], strings.Replace(ss[1], "'/", "'", 1)
}
var (
allowedCommands = map[string]models.AccessMode{
"git-upload-pack": models.AccessModeRead,
@ -126,7 +119,20 @@ func runServ(c *cli.Context) error {
return nil
}
verb, args := parseCmd(cmd)
words, err := shellquote.Split(cmd)
if err != nil {
fail("Error parsing arguments", "Failed to parse arguments: %v", err)
}
if len(words) < 2 {
fail("Too few arguments", "Too few arguments in cmd: %s", cmd)
}
verb := words[0]
repoPath := words[1]
if repoPath[0] == '/' {
repoPath = repoPath[1:]
}
var lfsVerb string
if verb == lfsAuthenticateVerb {
@ -134,17 +140,14 @@ func runServ(c *cli.Context) error {
fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
}
argsSplit := strings.Split(args, " ")
if len(argsSplit) >= 2 {
args = strings.TrimSpace(argsSplit[0])
lfsVerb = strings.TrimSpace(argsSplit[1])
if len(words) > 2 {
lfsVerb = words[2]
}
}
repoPath := strings.ToLower(strings.Trim(args, "'"))
rr := strings.SplitN(repoPath, "/", 2)
if len(rr) != 2 {
fail("Invalid repository path", "Invalid repository path: %v", args)
fail("Invalid repository path", "Invalid repository path: %v", repoPath)
}
username := strings.ToLower(rr[0])