cerc-io/gitea
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes possible vulnerabilities with keyword hijacking (#20)

Browse Source 
- Added public entries to reserved keywords list
- Rename variables
- Derped comment
This commit is contained in:
LefsFlare 2016-11-12 20:26:45 +08:00 committed by Thibault Meyer
parent 3dedc027ac
commit 3ef022b071
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
models/user.go
View File

@ -505,12 +505,12 @@ func NewGhostUser() *User {
} }
var ( var (
reversedUsernames = []string{"debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."} reservedUsernames = []string{"assets", "css", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
reversedUserPatterns = []string{"*.keys"} reservedUserPatterns = []string{"*.keys"}
) )
// isUsableName checks if name is reserved or pattern of name is not allowed // isUsableName checks if name is reserved or pattern of name is not allowed
// based on given reversed names and patterns. // based on given reserved names and patterns.
// Names are exact match, patterns can be prefix or suffix match with placeholder '*'. // Names are exact match, patterns can be prefix or suffix match with placeholder '*'.
func isUsableName(names, patterns []string, name string) error { func isUsableName(names, patterns []string, name string) error {
name = strings.TrimSpace(strings.ToLower(name)) name = strings.TrimSpace(strings.ToLower(name))
@ -535,7 +535,7 @@ func isUsableName(names, patterns []string, name string) error {
} }
func IsUsableUsername(name string) error { func IsUsableUsername(name string) error {
return isUsableName(reversedUsernames, reversedUserPatterns, name) return isUsableName(reservedUsernames, reservedUserPatterns, name)
} }
// CreateUser creates record of a new user. // CreateUser creates record of a new user.