mirror: use Git command to update origin remote address (#5767) (#5865)

Fixes a RCE reported by @ManassehZhou and @zeripath.
author: Unknwon <u@gogs.io> 2019-11-16 21:26:06 -0800
committer: GitHub <noreply@github.com> 2019-11-16 21:26:06 -0800
commit: bbc12378d4320eb886cc6835fe0b1be038e8ac98 (patch)
tree: 9ce00de5ef411bfab8d5fa54fc127baf8f9e8150 /internal/db
parent: 5bec61b824e58a8923fb59680115066b405e02c6 (diff)
1 files changed, 12 insertions, 5 deletions
diff --git a/internal/db/mirror.go b/internal/db/mirror.go
index b165cbfc..0481e1d0 100644
--- a/internal/db/mirror.go
+++ b/internal/db/mirror.go
@@ -179,14 +179,21 @@ func escapeMirrorCredentials(addr string) string {
 
 // SaveAddress writes new address to Git repository config.
 func (m *Mirror) SaveAddress(addr string) error {
-	configPath := m.Repo.GitConfigPath()
-	cfg, err := ini.Load(configPath)
+	repoPath := m.Repo.RepoPath()
+
+	err := git.RemoveRemote(repoPath, "origin")
+	if err != nil {
+		return fmt.Errorf("remove remote 'origin': %v", err)
+	}
+
+	err = git.AddRemote(repoPath, "origin", addr, git.AddRemoteOptions{
+		Mirror: true,
+	})
 	if err != nil {
-		return fmt.Errorf("Load: %v", err)
+		return fmt.Errorf("add remote 'origin': %v", err)
 	}
 
-	cfg.Section(`remote "origin"`).Key("url").SetValue(escapeMirrorCredentials(addr))
-	return cfg.SaveToIndent(configPath, "\t")
+	return nil
 }
 
 const GIT_SHORT_EMPTY_SHA = "0000000"
author	Unknwon <u@gogs.io>	2019-11-16 21:26:06 -0800
committer	GitHub <noreply@github.com>	2019-11-16 21:26:06 -0800
commit	bbc12378d4320eb886cc6835fe0b1be038e8ac98 (patch)
tree	9ce00de5ef411bfab8d5fa54fc127baf8f9e8150 /internal/db
parent	5bec61b824e58a8923fb59680115066b405e02c6 (diff)