8 files changed, 119 insertions, 42 deletions
diff --git a/modules/auth/admin.go b/modules/auth/admin.go
index a4aa67ff..1530212b 100644
--- a/modules/auth/admin.go
+++ b/modules/auth/admin.go
@@ -5,9 +5,9 @@
 package auth
 
 import (
-	"github.com/Unknwon/macaron"
+	"gopkg.in/macaron.v1"
 
-	"github.com/macaron-contrib/binding"
+	"github.com/go-macaron/binding"
 )
 
 type AdminCrateUserForm struct {
@@ -24,16 +24,17 @@ func (f *AdminCrateUserForm) Validate(ctx *macaron.Context, errs binding.Errors)
 }
 
 type AdminEditUserForm struct {
-	LoginType    string `binding:"Required"`
-	LoginName    string
-	FullName     string `binding:"MaxSize(100)"`
-	Email        string `binding:"Required;Email;MaxSize(254)"`
-	Password     string `binding:"MaxSize(255)"`
-	Website      string `binding:"MaxSize(50)"`
-	Location     string `binding:"MaxSize(50)"`
-	Active       bool
-	Admin        bool
-	AllowGitHook bool
+	LoginType        string `binding:"Required"`
+	LoginName        string
+	FullName         string `binding:"MaxSize(100)"`
+	Email            string `binding:"Required;Email;MaxSize(254)"`
+	Password         string `binding:"MaxSize(255)"`
+	Website          string `binding:"MaxSize(50)"`
+	Location         string `binding:"MaxSize(50)"`
+	Active           bool
+	Admin            bool
+	AllowGitHook     bool
+	AllowImportLocal bool
 }
 
 func (f *AdminEditUserForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
diff --git a/modules/auth/apiv1/miscellaneous.go b/modules/auth/apiv1/miscellaneous.go
index e05b4838..5032f0ac 100644
--- a/modules/auth/apiv1/miscellaneous.go
+++ b/modules/auth/apiv1/miscellaneous.go
@@ -7,8 +7,8 @@ package apiv1
 import (
 	"reflect"
 
-	"github.com/Unknwon/macaron"
-	"github.com/macaron-contrib/binding"
+	"github.com/go-macaron/binding"
+	"gopkg.in/macaron.v1"
 
 	"github.com/gogits/gogs/modules/auth"
 )
diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index ecae5b06..2e4c80c5 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -10,9 +10,9 @@ import (
 	"time"
 
 	"github.com/Unknwon/com"
-	"github.com/Unknwon/macaron"
-	"github.com/macaron-contrib/binding"
-	"github.com/macaron-contrib/session"
+	"github.com/go-macaron/binding"
+	"github.com/go-macaron/session"
+	"gopkg.in/macaron.v1"
 
 	"github.com/gogits/gogs/models"
 	"github.com/gogits/gogs/modules/base"
@@ -181,7 +181,7 @@ func AssignForm(form interface{}, data map[string]interface{}) {
 	}
 }
 
-func getSize(field reflect.StructField, prefix string) string {
+func getRuleBody(field reflect.StructField, prefix string) string {
 	for _, rule := range strings.Split(field.Tag.Get("binding"), ";") {
 		if strings.HasPrefix(rule, prefix) {
 			return rule[len(prefix) : len(rule)-1]
@@ -191,15 +191,19 @@ func getSize(field reflect.StructField, prefix string) string {
 }
 
 func GetSize(field reflect.StructField) string {
-	return getSize(field, "Size(")
+	return getRuleBody(field, "Size(")
 }
 
 func GetMinSize(field reflect.StructField) string {
-	return getSize(field, "MinSize(")
+	return getRuleBody(field, "MinSize(")
 }
 
 func GetMaxSize(field reflect.StructField) string {
-	return getSize(field, "MaxSize(")
+	return getRuleBody(field, "MaxSize(")
+}
+
+func GetInclude(field reflect.StructField) string {
+	return getRuleBody(field, "Include(")
 }
 
 // FIXME: struct contains a struct
@@ -260,6 +264,8 @@ func validate(errs binding.Errors, data map[string]interface{}, f Form, l macaro
 				data["ErrorMsg"] = trName + l.Tr("form.email_error")
 			case binding.ERR_URL:
 				data["ErrorMsg"] = trName + l.Tr("form.url_error")
+			case binding.ERR_INCLUDE:
+				data["ErrorMsg"] = trName + l.Tr("form.include_error", GetInclude(field))
 			default:
 				data["ErrorMsg"] = l.Tr("form.unknown_error") + " " + errs[0].Classification
 			}
diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go
index 7ac47fcc..6f356344 100644
--- a/modules/auth/auth_form.go
+++ b/modules/auth/auth_form.go
@@ -5,8 +5,8 @@
 package auth
 
 import (
-	"github.com/Unknwon/macaron"
-	"github.com/macaron-contrib/binding"
+	"github.com/go-macaron/binding"
+	"gopkg.in/macaron.v1"
 )
 
 type AuthenticationForm struct {
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 382b5b86..a00bcf85 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -9,6 +9,7 @@ package ldap
 import (
 	"crypto/tls"
 	"fmt"
+	"strings"
 
 	"github.com/gogits/gogs/modules/ldap"
 	"github.com/gogits/gogs/modules/log"
@@ -33,6 +34,28 @@ type Source struct {
 	Enabled          bool   // if this source is disabled
 }
 
+func (ls *Source) sanitizedUserQuery(username string) (string, bool) {
+	// See http://tools.ietf.org/search/rfc4515
+	badCharacters := "\x00()*\\"
+	if strings.ContainsAny(username, badCharacters) {
+		log.Debug("'%s' contains invalid query characters. Aborting.", username)
+		return "", false
+	}
+
+	return fmt.Sprintf(ls.Filter, username), true
+}
+
+func (ls *Source) sanitizedUserDN(username string) (string, bool) {
+	// See http://tools.ietf.org/search/rfc4514: "special characters"
+	badCharacters := "\x00()*\\,='\"#+;<> "
+	if strings.ContainsAny(username, badCharacters) {
+		log.Debug("'%s' contains invalid DN characters. Aborting.", username)
+		return "", false
+	}
+
+	return fmt.Sprintf(ls.UserDN, username), true
+}
+
 func (ls *Source) FindUserDN(name string) (string, bool) {
 	l, err := ldapDial(ls)
 	if err != nil {
@@ -55,7 +78,11 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
 	}
 
 	// A search for the user.
-	userFilter := fmt.Sprintf(ls.Filter, name)
+	userFilter, ok := ls.sanitizedUserQuery(name)
+	if !ok {
+		return "", false
+	}
+
 	log.Trace("Searching using filter %s", userFilter)
 	search := ldap.NewSearchRequest(
 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
@@ -85,7 +112,12 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 	var userDN string
 	if directBind {
 		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
-		userDN = fmt.Sprintf(ls.UserDN, name)
+
+		var ok bool
+		userDN, ok = ls.sanitizedUserDN(name)
+		if !ok {
+			return "", "", "", false, false
+		}
 	} else {
 		log.Trace("LDAP will use BindDN.")
 
@@ -98,7 +130,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 
 	l, err := ldapDial(ls)
 	if err != nil {
-		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
+		log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
 		ls.Enabled = false
 		return "", "", "", false, false
 	}
@@ -112,7 +144,11 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 	}
 
 	log.Trace("Bound successfully with userDN: %s", userDN)
-	userFilter := fmt.Sprintf(ls.Filter, name)
+	userFilter, ok := ls.sanitizedUserQuery(name)
+	if !ok {
+		return "", "", "", false, false
+	}
+
 	search := ldap.NewSearchRequest(
 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
 		[]string{ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
diff --git a/modules/auth/org.go b/modules/auth/org.go
index 6d9a7269..0642d1cb 100644
--- a/modules/auth/org.go
+++ b/modules/auth/org.go
@@ -5,8 +5,8 @@
 package auth
 
 import (
-	"github.com/Unknwon/macaron"
-	"github.com/macaron-contrib/binding"
+	"github.com/go-macaron/binding"
+	"gopkg.in/macaron.v1"
 )
 
 // ________                            .__                __  .__
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
index 3a74bbe0..8e10dc24 100644
--- a/modules/auth/repo_form.go
+++ b/modules/auth/repo_form.go
@@ -5,8 +5,14 @@
 package auth
 
 import (
-	"github.com/Unknwon/macaron"
-	"github.com/macaron-contrib/binding"
+	"net/url"
+	"strings"
+
+	"github.com/Unknwon/com"
+	"github.com/go-macaron/binding"
+	"gopkg.in/macaron.v1"
+
+	"github.com/gogits/gogs/models"
 )
 
 // _______________________________________    _________.______________________ _______________.___.
@@ -37,8 +43,8 @@ type MigrateRepoForm struct {
 	AuthPassword string `json:"auth_password"`
 	Uid          int64  `json:"uid" binding:"Required"`
 	RepoName     string `json:"repo_name" binding:"Required;AlphaDashDot;MaxSize(100)"`
-	Private      bool   `json:"mirror"`
-	Mirror       bool   `json:"private"`
+	Mirror       bool   `json:"mirror"`
+	Private      bool   `json:"private"`
 	Description  string `json:"description" binding:"MaxSize(255)"`
 }
 
@@ -46,6 +52,34 @@ func (f *MigrateRepoForm) Validate(ctx *macaron.Context, errs binding.Errors) bi
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
 
+// ParseRemoteAddr checks if given remote address is valid,
+// and returns composed URL with needed username and passowrd.
+// It also checks if given user has permission when remote address
+// is actually a local path.
+func (f MigrateRepoForm) ParseRemoteAddr(user *models.User) (string, error) {
+	remoteAddr := f.CloneAddr
+
+	// Remote address can be HTTP/HTTPS/Git URL or local path.
+	if strings.HasPrefix(remoteAddr, "http://") ||
+		strings.HasPrefix(remoteAddr, "https://") ||
+		strings.HasPrefix(remoteAddr, "git://") {
+		u, err := url.Parse(remoteAddr)
+		if err != nil {
+			return "", models.ErrInvalidCloneAddr{IsURLError: true}
+		}
+		if len(f.AuthUsername)+len(f.AuthPassword) > 0 {
+			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
+		}
+		remoteAddr = u.String()
+	} else if !user.CanImportLocal() {
+		return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true}
+	} else if !com.IsDir(remoteAddr) {
+		return "", models.ErrInvalidCloneAddr{IsInvalidPath: true}
+	}
+
+	return remoteAddr, nil
+}
+
 type RepoSettingForm struct {
 	RepoName    string `binding:"Required;AlphaDashDot;MaxSize(100)"`
 	Description string `binding:"MaxSize(255)"`
@@ -181,12 +215,12 @@ func (f *CreateLabelForm) Validate(ctx *macaron.Context, errs binding.Errors) bi
 //         \/     \/          \/     \/     \/     \/
 
 type NewReleaseForm struct {
-	TagName    string `form:"tag_name" binding:"Required"`
+	TagName    string `binding:"Required"`
 	Target     string `form:"tag_target" binding:"Required"`
-	Title      string `form:"title" binding:"Required"`
-	Content    string `form:"content" binding:"Required"`
-	Draft      string `form:"draft"`
-	Prerelease bool   `form:"prerelease"`
+	Title      string `binding:"Required"`
+	Content    string
+	Draft      string
+	Prerelease bool
 }
 
 func (f *NewReleaseForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
diff --git a/modules/auth/user_form.go b/modules/auth/user_form.go
index 53f5fb15..bc826c69 100644
--- a/modules/auth/user_form.go
+++ b/modules/auth/user_form.go
@@ -7,8 +7,8 @@ package auth
 import (
 	"mime/multipart"
 
-	"github.com/Unknwon/macaron"
-	"github.com/macaron-contrib/binding"
+	"github.com/go-macaron/binding"
+	"gopkg.in/macaron.v1"
 )
 
 type InstallForm struct {
@@ -30,7 +30,7 @@ type InstallForm struct {
 
 	SMTPHost        string
 	SMTPFrom        string
-	SMTPEmail       string `binding:"OmitEmpty;Email;MaxSize(50)" locale:"install.mailer_user"`
+	SMTPEmail       string `binding:"OmitEmpty;Email;MaxSize(254)" locale:"install.mailer_user"`
 	SMTPPasswd      string
 	RegisterConfirm bool
 	MailNotify      bool
@@ -44,7 +44,7 @@ type InstallForm struct {
 	AdminName          string `binding:"OmitEmpty;AlphaDashDot;MaxSize(30)" locale:"install.admin_name"`
 	AdminPasswd        string `binding:"OmitEmpty;MaxSize(255)" locale:"install.admin_password"`
 	AdminConfirmPasswd string
-	AdminEmail         string `binding:"OmitEmpty;Email;MaxSize(50)" locale:"install.admin_email"`
+	AdminEmail         string `binding:"OmitEmpty;MinSize(3);MaxSize(254);Include(@)" locale:"install.admin_email"`
 }
 
 func (f *InstallForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {