#3057 retrieve webhook with repo_id

This prevents user retrieve arbitrary webhook by changing URL to
access webhook from other unauthorized repositories.
This commit is contained in:
Unknwon 2016-07-08 13:57:09 +08:00
parent e30c701386
commit d62ab49978
6 changed files with 9 additions and 9 deletions

View file

@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true) ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions) ##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
| Web | UI | Preview | | Web | UI | Preview |
|:-------------:|:-------:|:-------:| |:-------------:|:-------:|:-------:|

View file

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.9.37.0708" const APP_VER = "0.9.38.0708"
func init() { func init() {
runtime.GOMAXPROCS(runtime.NumCPU()) runtime.GOMAXPROCS(runtime.NumCPU())

View file

@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
return err return err
} }
// GetWebhookByID returns webhook by given ID. // GetWebhookByID returns webhook of repository by given ID.
func GetWebhookByID(id int64) (*Webhook, error) { func GetWebhookByID(repoID, id int64) (*Webhook, error) {
w := new(Webhook) w := new(Webhook)
has, err := x.Id(id).Get(w) has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
if err != nil { if err != nil {
return nil, err return nil, err
} else if !has { } else if !has {
@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
} }
// Update webhook last delivery status. // Update webhook last delivery status.
w, err := GetWebhookByID(t.HookID) w, err := GetWebhookByID(t.RepoID, t.HookID)
if err != nil { if err != nil {
log.Error(5, "GetWebhookByID: %v", err) log.Error(5, "GetWebhookByID: %v", err)
return return

View file

@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
// https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
func EditHook(ctx *context.APIContext, form api.EditHookOption) { func EditHook(ctx *context.APIContext, form api.EditHookOption) {
w, err := models.GetWebhookByID(ctx.ParamsInt64(":id")) w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
if err != nil { if err != nil {
if models.IsErrWebhookNotExist(err) { if models.IsErrWebhookNotExist(err) {
ctx.Status(404) ctx.Status(404)

View file

@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
} }
ctx.Data["BaseLink"] = orCtx.Link ctx.Data["BaseLink"] = orCtx.Link
w, err := models.GetWebhookByID(ctx.ParamsInt64(":id")) w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
if err != nil { if err != nil {
if models.IsErrWebhookNotExist(err) { if models.IsErrWebhookNotExist(err) {
ctx.Handle(404, "GetWebhookByID", nil) ctx.Handle(404, "GetWebhookByID", nil)

View file

@ -1 +1 @@
0.9.37.0708 0.9.38.0708