Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-02-27 08:40:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

context: reject access tokens passed via URL query parameters (#8177)

Browse Source
This commit is contained in:
ᴊᴏᴇ ᴄʜᴇɴ
2026-02-13 15:27:48 -05:00
committed by Joe Chen
parent a5c2cc0c6e
commit 094b632182
3 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.claude/commands/ghsa.md
View File

@@ -7,5 +7,7 @@ Steps:
4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
6. Run all the usual build and test commands.
7. Create a branch named after the GHSA ID, commit, and push.
8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link.
8. Create a branch named after the GHSA ID, commit, and push.
9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
10. If a changelog entry was added, update it with the PR link, then commit and push again.

2
CHANGELOG.md
View File

@@ -10,6 +10,8 @@ All notable changes to Gogs are documented in this file.
### Removed
- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc)
- Git clone via the built-in SSH server hangs. [#8132](https://github.com/gogs/gogs/issues/8132)
## 0.14.0

18
internal/context/auth.go
View File

@@ -146,18 +146,12 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store
// Check access token.
if isAPIPath(c.Req.URL.Path) {
tokenSHA := c.Query("token")
if len(tokenSHA) <= 0 {
tokenSHA = c.Query("access_token")
}
if tokenSHA == "" {
// Well, check with header again.
auHead := c.Req.Header.Get("Authorization")
if len(auHead) > 0 {
auths := strings.Fields(auHead)
if len(auths) == 2 && auths[0] == "token" {
tokenSHA = auths[1]
}
var tokenSHA string
auHead := c.Req.Header.Get("Authorization")
if auHead != "" {
auths := strings.Fields(auHead)
if len(auths) == 2 && auths[0] == "token" {
tokenSHA = auths[1]
}
}