From cd469f7a1dcff9f6d7a7ef2fbc76fd7ba0fceed7 Mon Sep 17 00:00:00 2001
From: stypr <me@harold.kim>
Date: Fri, 27 Nov 2020 19:52:42 +0900
Subject: repo: disallow urlencoded new lines in git protocol paths (#6420)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
---
 internal/form/repo.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'internal/form')

diff --git a/internal/form/repo.go b/internal/form/repo.go
index 26acb2bf..ed963307 100644
--- a/internal/form/repo.go
+++ b/internal/form/repo.go
@@ -72,6 +72,10 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 		if len(f.AuthUsername)+len(f.AuthPassword) > 0 {
 			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
 		}
+		// To prevent CRLF injection in git protocol, see https://github.com/gogs/gogs/issues/6413
+		if u.Scheme == "git" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+			return "", db.ErrInvalidCloneAddr{IsURLError: true}
+		}
 		remoteAddr = u.String()
 	} else if !user.CanImportLocal() {
 		return "", db.ErrInvalidCloneAddr{IsPermissionDenied: true}
-- 
cgit v1.2.3