Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Dont leak private users via extensions #28023

Merged
merged 2 commits into from
Nov 13, 2023
Merged

Dont leak private users via extensions #28023

merged 2 commits into from
Nov 13, 2023

Conversation

6543
Copy link
Member

@6543 6543 commented Nov 13, 2023

there was no check in place if a user could see a other user, if you append e.g. .rss

@6543 6543 added type/bug backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Nov 13, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 13, 2023
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 13, 2023
delvh
delvh reviewed Nov 13, 2023
View reviewed changes
@6543 @delvh
Update routers/web/user/home.go
6c374b8 
Co-authored-by: delvh <dev.lh@web.de>
@6543 6543 requested a review from delvh November 13, 2023 19:14
@6543 6543 added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Nov 13, 2023
@6543 6543 mentioned this pull request Nov 13, 2023
Merged
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 13, 2023
@6543 6543 requested a review from a team November 13, 2023 20:27
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 13, 2023
@jolheiser jolheiser merged commit c636608 into go-gitea:main Nov 13, 2023
@jolheiser jolheiser deleted the dont-leak-private-users-via-extensions branch November 13, 2023 22:30
@GiteaBot GiteaBot added this to the 1.22.0 milestone Nov 13, 2023
@GiteaBot GiteaBot mentioned this pull request Nov 13, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Nov 13, 2023
@6543 @GiteaBot
Dont leak private users via extensions (go-gitea#28023)
b446378
@GiteaBot GiteaBot mentioned this pull request Nov 13, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Nov 13, 2023
@6543 @GiteaBot
Dont leak private users via extensions (go-gitea#28023)
34e22fd
6543 pushed a commit that referenced this pull request Nov 13, 2023
@GiteaBot
Dont leak private users via extensions (#28023) (#28029)
eef4148 
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`
6543 pushed a commit that referenced this pull request Nov 13, 2023
@GiteaBot
Dont leak private users via extensions (#28023) (#28028)
69ea554 
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`
@GiteaBot
Copy link
Collaborator

I was unable to create a backport for 1.20. @6543, please send one manually. 🍵

go run ./contrib/backport 28023
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Nov 13, 2023
@GiteaBot
Copy link
Collaborator

I was unable to create a backport for 1.21. @6543, please send one manually. 🍵

go run ./contrib/backport 28023
...  // fix git conflicts if any
go run ./contrib/backport --continue

@6543
Copy link
Member Author

6543 commented Nov 13, 2023

yes because it already got merged 😆

@lunny lunny added the backport/done All backports for this PR have been created label Nov 14, 2023
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 14, 2023
@zjjhot
Merge remote-tracking branch 'upstream/main'
4c78dfc 
* upstream/main:
  fixed duplicate attachments on dump on windows (go-gitea#28019)
  [skip ci] Updated translations via Crowdin
  packages: Calculate package size quota using package creator ID instead of owner ID (go-gitea#28007)
  Dont leak private users via extensions (go-gitea#28023)
  Improve profile for Organizations (go-gitea#27982)
  Enable system users search via the API (go-gitea#28013)
  Enable system users for comment.LoadPoster (go-gitea#28014)
  Change default size of issue/pr attachments and repo file (go-gitea#27946)
  Fix missing mail reply address (go-gitea#27997)
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this pull request Jan 17, 2024
@6543 @fuxiaohei
Dont leak private users via extensions (go-gitea#28023)
076d08b
@wxiaoguang wxiaoguang mentioned this pull request Jan 22, 2024
Open
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Feb 12, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@denyskon denyskon denyskon approved these changes

@delvh delvh delvh approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
6 participants
@6543 @GiteaBot @denyskon @delvh @lunny @jolheiser