Headline
CVE-2022-1993: http: clean request path from Git endpoints (#7022) · gogs/gogs@9bf748b
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
@@ -24,6 +24,7 @@ import ( “gogs.io/gogs/internal/conf” “gogs.io/gogs/internal/db” “gogs.io/gogs/internal/lazyregexp” “gogs.io/gogs/internal/pathutil” “gogs.io/gogs/internal/tool” )
@@ -408,15 +409,21 @@ func HTTP(c *HTTPContext) { }
if route.method != c.Req.Method { c.NotFound() c.Error(http.StatusNotFound) return }
file := strings.TrimPrefix(reqPath, m[1]+"/") dir, err := getGitRepoPath(m[1]) cleaned := pathutil.Clean(m[1]) if m[1] != "/"+cleaned { c.Error(http.StatusBadRequest, “Request path contains suspicious characters”) return }
file := strings.TrimPrefix(reqPath, cleaned) dir, err := getGitRepoPath(cleaned) if err != nil { log.Warn("HTTP.getGitRepoPath: %v", err) c.NotFound() c.Error(http.StatusNotFound) return }
@@ -435,5 +442,5 @@ func HTTP(c *HTTPContext) { return }
c.NotFound() c.Error(http.StatusNotFound) }
Related news
### Impact The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected. ### Patches Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds N/A ### References https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/ ### For more information If you have any questions or comments about this advisory, please post on #7002.