From 8dcc7d9e8ce36d94bae1a1becddc4735f51add3c Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 9 Apr 2024 06:24:35 +0800 Subject: [PATCH] Fix possible renderer security problem(#30136) (#30315) Co-authored-by: wxiaoguang (cherry picked from commit 65d96725bb6cb0d0616c17844aca6c753aa5c851) --- routers/web/repo/render.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/routers/web/repo/render.go b/routers/web/repo/render.go index f146debb03..f62f0b853f 100644 --- a/routers/web/repo/render.go +++ b/routers/web/repo/render.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/modules/charset" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/git" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/markup" "code.gitea.io/gitea/modules/typesniffer" "code.gitea.io/gitea/modules/util" @@ -44,20 +45,17 @@ func RenderFile(ctx *context.Context) { isTextFile := st.IsText() rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{}) + ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") if markupType := markup.Type(blob.Name()); markupType == "" { if isTextFile { - _, err = io.Copy(ctx.Resp, rd) - if err != nil { - ctx.ServerError("Copy", err) - } - return + _, _ = io.Copy(ctx.Resp, rd) + } else { + http.Error(ctx.Resp, "Unsupported file type render", http.StatusInternalServerError) } - ctx.Error(http.StatusInternalServerError, "Unsupported file type render") return } - ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") err = markup.Render(&markup.RenderContext{ Ctx: ctx, RelativePath: ctx.Repo.TreePath, @@ -71,7 +69,8 @@ func RenderFile(ctx *context.Context) { InStandalonePage: true, }, rd, ctx.Resp) if err != nil { - ctx.ServerError("Render", err) + log.Error("Failed to render file %q: %v", ctx.Repo.TreePath, err) + http.Error(ctx.Resp, "Failed to render file", http.StatusInternalServerError) return } }