git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

fix: sanitize OriginalURL before displaying it

Browse source 
While `repo.OriginalURL` is supposed to be sanitized, with username and
passwords removed, it appears that is not always the case, and sometimes
we may encounter original URLs that aren't sanitized. While that is
possibly a historical artifact, we should still treat it with care.

As such, before displaying `repo.OriginalURL` as an info flash when
syncing a pull repository, sanitize the URL first, to be on the safe
side.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
This commit is contained in:
Gergely Nagy 2024-05-28 17:38:44 +02:00 committed by Earl Warren
commit 145dea59bb
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
routers/web/repo/setting/setting.go
View file

@ -543,7 +543,13 @@ func SettingsPost(ctx *context.Context) {
mirror_service.AddPullMirrorToQueue(repo.ID)
ctx.Flash.Info(ctx.Tr("repo.settings.pull_mirror_sync_in_progress", repo.OriginalURL))
sanitizedOriginalURL, err := util.SanitizeURL(repo.OriginalURL)
if err != nil {
ctx.ServerError("SanitizeURL", err)
return
}
ctx.Flash.Info(ctx.Tr("repo.settings.pull_mirror_sync_in_progress", sanitizedOriginalURL))
ctx.Redirect(repo.Link() + "/settings")
case "push-mirror-sync":