1
0
فهرست منبع

#3057 retrieve webhook with repo_id

This prevents user retrieve arbitrary webhook by changing URL to
access webhook from other unauthorized repositories.
Unknwon 10 سال پیش
والد
کامیت
d62ab49978
6فایلهای تغییر یافته به همراه9 افزوده شده و 9 حذف شده
  1. 1 1
      README.md
  2. 1 1
      gogs.go
  3. 4 4
      models/webhook.go
  4. 1 1
      routers/api/v1/repo/hook.go
  5. 1 1
      routers/repo/webhook.go
  6. 1 1
      templates/.VERSION

+ 1 - 1
README.md

@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
+##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|

+ 1 - 1
gogs.go

@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.37.0708"
+const APP_VER = "0.9.38.0708"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())

+ 4 - 4
models/webhook.go

@@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
 	return err
 }
 
-// GetWebhookByID returns webhook by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(repoID, id int64) (*Webhook, error) {
 	w := new(Webhook)
-	has, err := x.Id(id).Get(w)
+	has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
 		}
 
 		// Update webhook last delivery status.
-		w, err := GetWebhookByID(t.HookID)
+		w, err := GetWebhookByID(t.RepoID, t.HookID)
 		if err != nil {
 			log.Error(5, "GetWebhookByID: %v", err)
 			return

+ 1 - 1
routers/api/v1/repo/hook.go

@@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
 
 // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
 func EditHook(ctx *context.APIContext, form api.EditHookOption) {
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Status(404)

+ 1 - 1
routers/repo/webhook.go

@@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
 	}
 	ctx.Data["BaseLink"] = orCtx.Link
 
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Handle(404, "GetWebhookByID", nil)

+ 1 - 1
templates/.VERSION

@@ -1 +1 @@
-0.9.37.0708
+0.9.38.0708