Fix reported vulnerability

Ability to use labels from arbitrary repositories.

Reported by Miguel Ángel Jimeno.

4 files changed, 4 insertions, 4 deletions

diff --git a/README.md b/README.md
index 9900e1ed..1a8f035f 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current tip version: 0.9.109 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions ~~or submit a task on [alpha stage automated binary building system](https://build.gogs.io/)~~)
+##### Current tip version: 0.9.110 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions ~~or submit a task on [alpha stage automated binary building system](https://build.gogs.io/)~~)
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|
diff --git a/gogs.go b/gogs.go
index 25da7ffd..0661e10f 100644
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.109.1222"
+const APP_VER = "0.9.110.1222"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
diff --git a/routers/repo/issue.go b/routers/repo/issue.go
index cb508052..aa95c736 100644
--- a/routers/repo/issue.go
+++ b/routers/repo/issue.go
@@ -721,7 +721,7 @@ func UpdateIssueLabel(ctx *context.Context) {
 		}
 	} else {
 		isAttach := ctx.Query("action") == "attach"
-		label, err := models.GetLabelByID(ctx.QueryInt64("id"))
+		label, err := models.GetLabelInRepoByID(ctx.Repo.Repository.ID, ctx.QueryInt64("id"))
 		if err != nil {
 			if models.IsErrLabelNotExist(err) {
 				ctx.Error(404, "GetLabelByID")
diff --git a/templates/.VERSION b/templates/.VERSION
index e3fbc1e9..89e58b46 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.9.109.1222
\ No newline at end of file
+0.9.110.1222
\ No newline at end of file