From e9838a83ce2893476a14b27236dd50bb4ea09453 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Sat, 4 Mar 2017 21:26:32 -0500
Subject: routers/repo/http: only prompt HTTP Basic Authentication when
 intended

Sometimes user could simply request wrong URL, but if that wrong URL
has nothing related Git HTTP operations, HTTP Basic Authentication
should not prompted. Instead, clean 404 page should be presented.

The patch also supports Git HTTP operations without '.git' suffix
to the repository name, which addresses #4226 and #4189.
---
 routers/repo/http.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'routers/repo/http.go')

diff --git a/routers/repo/http.go b/routers/repo/http.go
index e67a5b08..c7dbe876 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -76,6 +76,16 @@ func HTTPContexter() macaron.Handler {
 			return
 		}
 
+		// In case user requested a wrong URL and not intended to access Git objects.
+		action := ctx.Params("*")
+		if !strings.Contains(action, "git-") &&
+			!strings.Contains(action, "info/") &&
+			!strings.Contains(action, "HEAD") &&
+			!strings.Contains(action, "objects/") {
+			ctx.NotFound()
+			return
+		}
+
 		// Handle HTTP Basic Authentication
 		authHead := ctx.Req.Header.Get("Authorization")
 		if len(authHead) == 0 {
-- 
cgit v1.2.3