diff options
| -rw-r--r-- | CHANGELOG.md | 2 | ||||
| -rw-r--r-- | internal/form/repo.go | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 29bf1764..d86906fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to Gogs are documented in this file. ### Fixed - Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) +- [Security] Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413) + ### Removed diff --git a/internal/form/repo.go b/internal/form/repo.go index 26acb2bf..ed963307 100644 --- a/internal/form/repo.go +++ b/internal/form/repo.go @@ -72,6 +72,10 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) { if len(f.AuthUsername)+len(f.AuthPassword) > 0 { u.User = url.UserPassword(f.AuthUsername, f.AuthPassword) } + // To prevent CRLF injection in git protocol, see https://github.com/gogs/gogs/issues/6413 + if u.Scheme == "git" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) { + return "", db.ErrInvalidCloneAddr{IsURLError: true} + } remoteAddr = u.String() } else if !user.CanImportLocal() { return "", db.ErrInvalidCloneAddr{IsPermissionDenied: true} |