From 02fa329a7c2190d947cd5e02ea90d2d4406653be Mon Sep 17 00:00:00 2001 From: Cirno the Strongest <1447794+CirnoT@users.noreply.github.com> Date: Fri, 29 May 2020 16:47:17 +0200 Subject: [PATCH] Fix missing authorization check on pull for public repos of private/limited org (#11656) Fixes #11651 --- routers/repo/http.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/routers/repo/http.go b/routers/repo/http.go index 650642a581..1eec033882 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -29,6 +29,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/process" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/timeutil" repo_service "code.gitea.io/gitea/services/repository" ) @@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) { environ []string ) + // don't allow anonymous pulls if organization is not public + if isPublicPull { + if err := repo.GetOwner(); err != nil { + ctx.ServerError("GetOwner", err) + return + } + + askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic) + } + // check access if askAuth { authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)