Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Path Traversal in file editing UI and API (GHSA-r7j8-5h9c-f6fx, GHSA-qf5v-rp47-55gg) #7582

Closed
1 task done
ManassehZhou opened this issue Oct 27, 2023 · 1 comment · Fixed by #7859
Closed
1 task done

Path Traversal in file editing UI and API (GHSA-r7j8-5h9c-f6fx, GHSA-qf5v-rp47-55gg) #7582

ManassehZhou opened this issue Oct 27, 2023 · 1 comment · Fixed by #7859
Assignees
@unknwon
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Milestone
0.13.1

Comments

@ManassehZhou
Copy link

Describe the bug

detailed information has been sent to (security@gogs.io)

Code of Conduct

  • I agree to follow this project's Code of Conduct
@unknwon unknwon added this to the 0.13.1 milestone Dec 9, 2024
@unknwon unknwon self-assigned this Dec 9, 2024
@unknwon unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels Dec 9, 2024
@unknwon
Copy link
Member

unknwon commented Dec 9, 2024
edited
Loading

GHSA created for this report:

They are currently private, will publish 14 days after 0.13.1 is released.

@unknwon unknwon changed the title RCE vulnerability in GOGS Remote Command Execution in file editing Dec 9, 2024
@unknwon unknwon changed the title Remote Command Execution in file editing Remote Command Execution in file editing (GHSA-r7j8-5h9c-f6fx) Dec 9, 2024
@unknwon unknwon mentioned this issue Dec 9, 2024
Merged
3 tasks
unknwon added a commit that referenced this issue Dec 9, 2024
@unknwon
repo/editor: disallow editing symlink while changing file name (#7857)
c94baec 
## Describe the pull request

Link to the issue: #7582
@unknwon unknwon changed the title Remote Command Execution in file editing (GHSA-r7j8-5h9c-f6fx) Path Traversal in file editing UI and API (GHSA-r7j8-5h9c-f6fx, GHSA-qf5v-rp47-55gg) Dec 15, 2024
@unknwon unknwon mentioned this issue Dec 15, 2024
Merged
3 tasks
unknwon added a commit that referenced this issue Dec 15, 2024
@unknwon
api: clean file path for updating repo contents (#7859)
9a9388a 
## Describe the pull request

Link to the issue: closes #7582
unknwon added a commit that referenced this issue Dec 22, 2024
@unknwon
repo/editor: disallow editing symlink while changing file name (#7857)
40cb106 
## Describe the pull request

Link to the issue: #7582
unknwon added a commit that referenced this issue Dec 22, 2024
@unknwon
api: clean file path for updating repo contents (#7859)
c947aff 
## Describe the pull request

Link to the issue: closes #7582
This was referenced Dec 23, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@unknwon unknwon

Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Projects
None yet
Milestone
0.13.1
Development

Successfully merging a pull request may close this issue.

api: clean file path for updating repo contents gogs/gogs
2 participants
@ManassehZhou @unknwon