Browse Source

repo/editor: disallow editing symlink while changing file name (#7857)

## Describe the pull request

Link to the issue: https://github.com/gogs/gogs/issues/7582
Joe Chen 10 months ago
parent
commit
c94baec9ca
1 changed files with 10 additions and 1 deletions
  1. 10 1
      internal/route/repo/editor.go

+ 10 - 1
internal/route/repo/editor.go

@@ -192,6 +192,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
 				return
 				return
 			}
 			}
 		} else {
 		} else {
+			// 🚨 SECURITY: Do not allow editing if the target file is a symlink.
 			if entry.IsSymlink() {
 			if entry.IsSymlink() {
 				c.FormErr("TreePath")
 				c.FormErr("TreePath")
 				c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
 				c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
@@ -205,7 +206,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
 	}
 	}
 
 
 	if !isNewFile {
 	if !isNewFile {
-		_, err := c.Repo.Commit.TreeEntry(oldTreePath)
+		entry, err := c.Repo.Commit.TreeEntry(oldTreePath)
 		if err != nil {
 		if err != nil {
 			if gitutil.IsErrRevisionNotExist(err) {
 			if gitutil.IsErrRevisionNotExist(err) {
 				c.FormErr("TreePath")
 				c.FormErr("TreePath")
@@ -215,6 +216,14 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
 			}
 			}
 			return
 			return
 		}
 		}
+
+		// 🚨 SECURITY: Do not allow editing if the old file is a symlink.
+		if entry.IsSymlink() {
+			c.FormErr("TreePath")
+			c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", oldTreePath), tmplEditorEdit, &f)
+			return
+		}
+
 		if lastCommit != c.Repo.CommitID {
 		if lastCommit != c.Repo.CommitID {
 			files, err := c.Repo.Commit.FilesChangedAfter(lastCommit)
 			files, err := c.Repo.Commit.FilesChangedAfter(lastCommit)
 			if err != nil {
 			if err != nil {