mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-06-05 09:54:36 -04:00
Use hostmatcher
to replace matchlist
, improve security (#17605)
Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
This commit is contained in:
parent
c96be0cd98
commit
013fb73068
33 changed files with 377 additions and 293 deletions
|
@ -253,10 +253,8 @@ func handleRemoteAddrError(ctx *context.APIContext, err error) {
|
|||
case addrErr.IsPermissionDenied:
|
||||
if addrErr.LocalPath {
|
||||
ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import local repositories.")
|
||||
} else if len(addrErr.PrivateNet) == 0 {
|
||||
ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from blocked hosts.")
|
||||
} else {
|
||||
ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from private IPs.")
|
||||
ctx.Error(http.StatusUnprocessableEntity, "", "You can not import from disallowed hosts.")
|
||||
}
|
||||
case addrErr.IsInvalidPath:
|
||||
ctx.Error(http.StatusUnprocessableEntity, "", "Invalid local path, it does not exist or not a directory.")
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue