From 154efa59a5a837d8375c09fb0b18a1b63bea6a3a Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sat, 22 Oct 2022 15:36:44 +0200
Subject: [PATCH] Prevent Authorization header for presigned LFS urls (#21531)

Fixes #21525

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 services/lfs/server.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/services/lfs/server.go b/services/lfs/server.go
index b868db39d..830112fac 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa
 		}
 
 		if download {
-			rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
+			var link *lfs_module.Link
 			if setting.LFS.ServeDirect {
 				// If we have a signed url (S3, object storage), redirect to this directly.
 				u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid)
 				if u != nil && err == nil {
-					rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header}
+					// Presigned url does not need the Authorization header
+					// https://github.com/go-gitea/gitea/issues/21525
+					delete(header, "Authorization")
+					link = &lfs_module.Link{Href: u.String(), Header: header}
 				}
 			}
+			if link == nil {
+				link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
+			}
+			rep.Actions["download"] = link
 		}
 		if upload {
 			rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}