#3057 retrieve webhook with repo_id
This prevents user retrieve arbitrary webhook by changing URL to access webhook from other unauthorized repositories.
This commit is contained in:
parent
e30c701386
commit
d62ab49978
6 changed files with 9 additions and 9 deletions
|
@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
|
||||||
|
|
||||||
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
||||||
|
|
||||||
##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
|
##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
|
||||||
|
|
||||||
| Web | UI | Preview |
|
| Web | UI | Preview |
|
||||||
|:-------------:|:-------:|:-------:|
|
|:-------------:|:-------:|:-------:|
|
||||||
|
|
2
gogs.go
2
gogs.go
|
@ -17,7 +17,7 @@ import (
|
||||||
"github.com/gogits/gogs/modules/setting"
|
"github.com/gogits/gogs/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
const APP_VER = "0.9.37.0708"
|
const APP_VER = "0.9.38.0708"
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
runtime.GOMAXPROCS(runtime.NumCPU())
|
runtime.GOMAXPROCS(runtime.NumCPU())
|
||||||
|
|
|
@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetWebhookByID returns webhook by given ID.
|
// GetWebhookByID returns webhook of repository by given ID.
|
||||||
func GetWebhookByID(id int64) (*Webhook, error) {
|
func GetWebhookByID(repoID, id int64) (*Webhook, error) {
|
||||||
w := new(Webhook)
|
w := new(Webhook)
|
||||||
has, err := x.Id(id).Get(w)
|
has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
} else if !has {
|
} else if !has {
|
||||||
|
@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update webhook last delivery status.
|
// Update webhook last delivery status.
|
||||||
w, err := GetWebhookByID(t.HookID)
|
w, err := GetWebhookByID(t.RepoID, t.HookID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(5, "GetWebhookByID: %v", err)
|
log.Error(5, "GetWebhookByID: %v", err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
|
||||||
|
|
||||||
// https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
|
// https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
|
||||||
func EditHook(ctx *context.APIContext, form api.EditHookOption) {
|
func EditHook(ctx *context.APIContext, form api.EditHookOption) {
|
||||||
w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
|
w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if models.IsErrWebhookNotExist(err) {
|
if models.IsErrWebhookNotExist(err) {
|
||||||
ctx.Status(404)
|
ctx.Status(404)
|
||||||
|
|
|
@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
|
||||||
}
|
}
|
||||||
ctx.Data["BaseLink"] = orCtx.Link
|
ctx.Data["BaseLink"] = orCtx.Link
|
||||||
|
|
||||||
w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
|
w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if models.IsErrWebhookNotExist(err) {
|
if models.IsErrWebhookNotExist(err) {
|
||||||
ctx.Handle(404, "GetWebhookByID", nil)
|
ctx.Handle(404, "GetWebhookByID", nil)
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
0.9.37.0708
|
0.9.38.0708
|
Reference in a new issue