From 76dfc75ed202c291c74612d772ea64d200666de9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 22 Mar 2025 15:52:32 +0000 Subject: [PATCH 1/4] Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] (v10.0/forgejo) (#7302) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | require | patch | `v5.2.1` -> `v5.2.2` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### jwt-go allows excessive memory allocation during header parsing [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GHSA-mh63-6h87-95cp](https://github.com/advisories/GHSA-mh63-6h87-95cp)
More information #### Details ##### Summary Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html) ##### Details See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) ##### Impact Excessive memory allocation #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp](https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp) - [https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3](https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3) - [https://github.com/golang-jwt/jwt](https://github.com/golang-jwt/jwt) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
--- ### Release Notes
golang-jwt/jwt (github.com/golang-jwt/jwt/v5) ### [`v5.2.2`](https://github.com/golang-jwt/jwt/releases/tag/v5.2.2) [Compare Source](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2) #### What's Changed - Fixed https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp by [@​mfridman](https://github.com/mfridman) - Fixed some typos by [@​Ashikpaul](https://github.com/Ashikpaul) in https://github.com/golang-jwt/jwt/pull/382 - build: add go1.22 to ci workflows by [@​mfridman](https://github.com/mfridman) in https://github.com/golang-jwt/jwt/pull/383 - Bump golangci/golangci-lint-action from 4 to 5 by [@​dependabot](https://github.com/dependabot) in https://github.com/golang-jwt/jwt/pull/387 - Bump golangci/golangci-lint-action from 5 to 6 by [@​dependabot](https://github.com/dependabot) in https://github.com/golang-jwt/jwt/pull/389 - chore: bump ci tests to include go1.23 by [@​mfridman](https://github.com/mfridman) in https://github.com/golang-jwt/jwt/pull/405 - Fix jwt -show by [@​AlexanderYastrebov](https://github.com/AlexanderYastrebov) in https://github.com/golang-jwt/jwt/pull/406 - docs: typo by [@​kvii](https://github.com/kvii) in https://github.com/golang-jwt/jwt/pull/407 - Update SECURITY.md by [@​oxisto](https://github.com/oxisto) in https://github.com/golang-jwt/jwt/pull/416 - Update `jwt.Parse` example to use `jwt.WithValidMethods` by [@​mattt](https://github.com/mattt) in https://github.com/golang-jwt/jwt/pull/425 #### New Contributors - [@​Ashikpaul](https://github.com/Ashikpaul) made their first contribution in https://github.com/golang-jwt/jwt/pull/382 - [@​kvii](https://github.com/kvii) made their first contribution in https://github.com/golang-jwt/jwt/pull/407 - [@​mattt](https://github.com/mattt) made their first contribution in https://github.com/golang-jwt/jwt/pull/425 **Full Changelog**: https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7302 Reviewed-by: Earl Warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cf6252f02e..86af157812 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/gobwas/glob v0.2.3 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 - github.com/golang-jwt/jwt/v5 v5.2.1 + github.com/golang-jwt/jwt/v5 v5.2.2 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 github.com/google/go-github/v64 v64.0.0 github.com/google/pprof v0.0.0-20241017200806-017d972448fc diff --git a/go.sum b/go.sum index cedec7d4e9..79747476ad 100644 --- a/go.sum +++ b/go.sum @@ -981,8 +981,8 @@ github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 h1:UjoPNDAQ5JP github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= -github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= +github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= From a35a3b6731fc4403e2b2b95fdfc436501d20c416 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 22 Mar 2025 15:53:21 +0000 Subject: [PATCH 2/4] Update module golang.org/x/oauth2 to v0.27.0 [SECURITY] (v10.0/forgejo) (#7304) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) | require | minor | [`v0.23.0` -> `v0.27.0`](https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.23.0...refs/tags/v0.27.0) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Unexpected memory consumption during token parsing in golang.org/x/oauth2 [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868) / [GO-2025-3488](https://pkg.go.dev/vuln/GO-2025-3488)
More information #### Details An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. #### Severity Unknown #### References - [https://go.dev/cl/652155](https://go.dev/cl/652155) - [https://go.dev/issue/71490](https://go.dev/issue/71490) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3488) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7304 Reviewed-by: Earl Warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 86af157812..7b0119ba01 100644 --- a/go.mod +++ b/go.mod @@ -104,7 +104,7 @@ require ( golang.org/x/crypto v0.35.0 golang.org/x/image v0.23.0 golang.org/x/net v0.33.0 - golang.org/x/oauth2 v0.23.0 + golang.org/x/oauth2 v0.27.0 golang.org/x/sync v0.11.0 golang.org/x/sys v0.30.0 golang.org/x/text v0.22.0 diff --git a/go.sum b/go.sum index 79747476ad..859f93f9f1 100644 --- a/go.sum +++ b/go.sum @@ -1662,8 +1662,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= -golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= -golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M= +golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 0f5182d0c630dc77777c00cabe485f700881dcf9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 22 Mar 2025 16:47:19 +0000 Subject: [PATCH 3/4] Update module golang.org/x/net to v0.36.0 [SECURITY] (v10.0/forgejo) (#7303) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | require | minor | [`v0.33.0` -> `v0.36.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.33.0...refs/tags/v0.36.0) | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)
More information #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity Unknown #### References - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3503) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
--- ### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)
More information #### Details Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) - [https://go-review.googlesource.com/q/project:net](https://go-review.googlesource.com/q/project:net) - [https://go.dev/cl/654697](https://go.dev/cl/654697) - [https://go.dev/issue/71984](https://go.dev/issue/71984) - [https://pkg.go.dev/vuln/GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503) - [http://www.openwall.com/lists/oss-security/2025/03/07/2](http://www.openwall.com/lists/oss-security/2025/03/07/2) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qxp5-gwg8-xv66) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7303 Reviewed-by: Earl Warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7b0119ba01..12d2c3803b 100644 --- a/go.mod +++ b/go.mod @@ -103,7 +103,7 @@ require ( go.uber.org/mock v0.4.0 golang.org/x/crypto v0.35.0 golang.org/x/image v0.23.0 - golang.org/x/net v0.33.0 + golang.org/x/net v0.36.0 golang.org/x/oauth2 v0.27.0 golang.org/x/sync v0.11.0 golang.org/x/sys v0.30.0 diff --git a/go.sum b/go.sum index 859f93f9f1..1c8e75c1ff 100644 --- a/go.sum +++ b/go.sum @@ -1631,8 +1631,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= -golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= +golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA= +golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= From dde3f51c72feffac4805fc3133b6a681d8c97c6f Mon Sep 17 00:00:00 2001 From: forgejo-backport-action Date: Sat, 22 Mar 2025 17:30:28 +0000 Subject: [PATCH 4/4] [v10.0/forgejo] fix: use correct input for strip slashes middleware (#7306) **Backport:** https://codeberg.org/forgejo/forgejo/pulls/7295 - The router must use the escaped path in order to ensure correct functionality (at least, that is what they say). However `req.URL.Path` shouldn't be set to the escaped path, which is fixed in this patch. - Simplify the logic and no longer try to use `rctx.RoutePath`, this is only useful if the middleware was placed after some routing parsing was done. - Resolves forgejo/forgejo#7294 - Resolves forgejo/forgejo#7292 - Add unit test ## Release notes - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/7295): use correct input for strip slashes middleware Co-authored-by: Gusted Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7306 Co-authored-by: forgejo-backport-action Co-committed-by: forgejo-backport-action --- routers/common/middleware.go | 30 +++++++++++++++--------------- routers/common/middleware_test.go | 26 +++++++++++++++++++------- services/context/repo.go | 2 +- 3 files changed, 35 insertions(+), 23 deletions(-) diff --git a/routers/common/middleware.go b/routers/common/middleware.go index 856c10e678..873bc09b1d 100644 --- a/routers/common/middleware.go +++ b/routers/common/middleware.go @@ -74,27 +74,27 @@ func ProtocolMiddlewares() (handlers []any) { func stripSlashesMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { - // First of all escape the URL RawPath to ensure that all routing is done using a correctly escaped URL + // Ensure that URL.RawPath is always set. req.URL.RawPath = req.URL.EscapedPath() - urlPath := req.URL.RawPath - rctx := chi.RouteContext(req.Context()) - if rctx != nil && rctx.RoutePath != "" { - urlPath = rctx.RoutePath - } - - sanitizedPath := &strings.Builder{} - prevWasSlash := false - for _, chr := range strings.TrimRight(urlPath, "/") { - if chr != '/' || !prevWasSlash { - sanitizedPath.WriteRune(chr) + sanitize := func(path string) string { + sanitizedPath := &strings.Builder{} + prevWasSlash := false + for _, chr := range strings.TrimRight(path, "/") { + if chr != '/' || !prevWasSlash { + sanitizedPath.WriteRune(chr) + } + prevWasSlash = chr == '/' } - prevWasSlash = chr == '/' + return sanitizedPath.String() } - req.URL.Path = sanitizedPath.String() + // Sanitize the unescaped path for application logic. + req.URL.Path = sanitize(req.URL.Path) + rctx := chi.RouteContext(req.Context()) if rctx != nil { - rctx.RoutePath = req.URL.Path + // Sanitize the escaped path for routing. + rctx.RoutePath = sanitize(req.URL.RawPath) } next.ServeHTTP(resp, req) }) diff --git a/routers/common/middleware_test.go b/routers/common/middleware_test.go index 0e111e1261..6126e0afcc 100644 --- a/routers/common/middleware_test.go +++ b/routers/common/middleware_test.go @@ -15,9 +15,10 @@ import ( func TestStripSlashesMiddleware(t *testing.T) { type test struct { - name string - expectedPath string - inputPath string + name string + expectedPath string + expectedNormalPath string + inputPath string } tests := []test{ @@ -57,9 +58,16 @@ func TestStripSlashesMiddleware(t *testing.T) { expectedPath: "/repo/migrate", }, { - name: "path with encoded slash", - inputPath: "/user2/%2F%2Frepo1", - expectedPath: "/user2/%2F%2Frepo1", + name: "path with encoded slash", + inputPath: "/user2/%2F%2Frepo1", + expectedPath: "/user2/%2F%2Frepo1", + expectedNormalPath: "/user2/repo1", + }, + { + name: "path with space", + inputPath: "/assets/css/theme%20cappuccino.css", + expectedPath: "/assets/css/theme%20cappuccino.css", + expectedNormalPath: "/assets/css/theme cappuccino.css", }, } @@ -69,7 +77,11 @@ func TestStripSlashesMiddleware(t *testing.T) { called := false r.Get("*", func(w http.ResponseWriter, r *http.Request) { - assert.Equal(t, tt.expectedPath, r.URL.Path) + if tt.expectedNormalPath != "" { + assert.Equal(t, tt.expectedNormalPath, r.URL.Path) + } else { + assert.Equal(t, tt.expectedPath, r.URL.Path) + } rctx := chi.RouteContext(r.Context()) assert.Equal(t, tt.expectedPath, rctx.RoutePath) diff --git a/services/context/repo.go b/services/context/repo.go index 71cf431273..462d843bfc 100644 --- a/services/context/repo.go +++ b/services/context/repo.go @@ -1051,7 +1051,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context if refType == RepoRefLegacy { // redirect from old URL scheme to new URL scheme - prefix := strings.TrimPrefix(setting.AppSubURL+strings.ToLower(strings.TrimSuffix(ctx.Req.URL.Path, ctx.PathParamRaw("*"))), strings.ToLower(ctx.Repo.RepoLink)) + prefix := strings.TrimPrefix(setting.AppSubURL+strings.ToLower(strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*"))), strings.ToLower(ctx.Repo.RepoLink)) ctx.Redirect(path.Join( ctx.Repo.RepoLink,