davrot/forgejo-aneksajo
1
0
Fork 0
mirror of https://codeberg.org/forgejo-aneksajo/forgejo-aneksajo.git synced 2025-10-04 11:00:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: require read permissions for git-annex via ssh

Browse source 
The change in 5816106de5 made a bug
visible with which it was possible to read annexed content from a
private repository without having read access to it.

Prior to that commit this bug could only be triggered by having a git
version <2.29. I'd expect everyone to use a newer version than that for
a while now.

The fix is to require read permissions at a minimum for git-annex-shell
operations.
This commit is contained in:
Matthias Riße 2025-06-23 17:18:52 +02:00
parent e42914e8e8
commit b65ceb31a3
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmd/serv.go
View file

@ -85,7 +85,7 @@ var (
"git-upload-archive": perm.AccessModeRead,
"git-receive-pack": perm.AccessModeWrite,
lfsAuthenticateVerb: perm.AccessModeNone,
gitAnnexShellVerb: perm.AccessModeNone, // annex permissions are enforced by GIT_ANNEX_SHELL_READONLY, rather than the Gitea API
gitAnnexShellVerb: perm.AccessModeRead, // annex permissions are enforced by GIT_ANNEX_SHELL_READONLY, rather than the Gitea API, but read permissions are required at a minimum
}
alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
)