diff options
| author | Runxi Yu <me@runxiyu.org> | 2025-03-22 11:44:59 +0800 |
|---|---|---|
| committer | Runxi Yu <me@runxiyu.org> | 2025-03-22 11:44:59 +0800 |
| commit | c7440c2c3366e516ef9b0f4c34093e0c7f5c23d4 (patch) | |
| tree | 4695fba3ffb65a2abbadda90bac2c7511ffcaaf7 /http_server.go | |
| parent | Fix HTTPS cloning (diff) | |
| download | forge-c7440c2c3366e516ef9b0f4c34093e0c7f5c23d4.tar.gz forge-c7440c2c3366e516ef9b0f4c34093e0c7f5c23d4.tar.zst forge-c7440c2c3366e516ef9b0f4c34093e0c7f5c23d4.zip | |
Fix tree/raw redirection and disallow slashes in their path segments
Diffstat (limited to 'http_server.go')
| -rw-r--r-- | http_server.go | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/http_server.go b/http_server.go index c883cdf..584c48d 100644 --- a/http_server.go +++ b/http_server.go @@ -28,7 +28,6 @@ func (router *forgeHTTPRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) return } if segments[len(segments)-1] == "" { - // Might assign a trailing bool here segments = segments[:len(segments)-1] } @@ -172,12 +171,20 @@ func (router *forgeHTTPRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) repoFeature := segments[sepIndex+3] switch repoFeature { case "tree": + if anyContain(segments[sepIndex+4:], "/") { + errorPage400(w, params, "Repo tree paths may not contain slashes in any segments") + return + } params["rest"] = strings.Join(segments[sepIndex+4:], "/") if len(segments) < sepIndex+5 && redirectDir(w, r) { return } httpHandleRepoTree(w, r, params) case "raw": + if anyContain(segments[sepIndex+4:], "/") { + errorPage400(w, params, "Repo tree paths may not contain slashes in any segments") + return + } params["rest"] = strings.Join(segments[sepIndex+4:], "/") if len(segments) < sepIndex+5 && redirectDir(w, r) { return |