Browse Source
#3057 retrieve webhook with repo_id
This prevents user retrieve arbitrary webhook by changing URL to access webhook from other unauthorized repositories.tags/v1.2.0-rc1
Unknwon
9 years ago
6 changed files with 9 additions and 9 deletions
Unified View
Diff Options
-
+1 -1README.md
-
+1 -1gogs.go
-
+4 -4models/webhook.go
-
+1 -1routers/api/v1/repo/hook.go
-
+1 -1routers/repo/webhook.go
-
+1 -1templates/.VERSION
+ 1
- 1
README.md
View File
| @@ -3,7 +3,7 @@ Gogs - Go Git Service [ |  | ||||
| ##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions) | |||||
| ##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions) | |||||
| | Web | UI | Preview | | | Web | UI | Preview | | ||||
| |:-------------:|:-------:|:-------:| | |:-------------:|:-------:|:-------:| | ||||
+ 1
- 1
gogs.go
View File
| @@ -17,7 +17,7 @@ import ( | |||||
| "github.com/gogits/gogs/modules/setting" | "github.com/gogits/gogs/modules/setting" | ||||
| ) | ) | ||||
| const APP_VER = "0.9.37.0708" | |||||
| const APP_VER = "0.9.38.0708" | |||||
| func init() { | func init() { | ||||
| runtime.GOMAXPROCS(runtime.NumCPU()) | runtime.GOMAXPROCS(runtime.NumCPU()) | ||||
+ 4
- 4
models/webhook.go
View File
| @@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error { | |||||
| return err | return err | ||||
| } | } | ||||
| // GetWebhookByID returns webhook by given ID. | |||||
| func GetWebhookByID(id int64) (*Webhook, error) { | |||||
| // GetWebhookByID returns webhook of repository by given ID. | |||||
| func GetWebhookByID(repoID, id int64) (*Webhook, error) { | |||||
| w := new(Webhook) | w := new(Webhook) | ||||
| has, err := x.Id(id).Get(w) | |||||
| has, err := x.Id(id).And("repo_id=?", repoID).Get(w) | |||||
| if err != nil { | if err != nil { | ||||
| return nil, err | return nil, err | ||||
| } else if !has { | } else if !has { | ||||
| @@ -548,7 +548,7 @@ func (t *HookTask) deliver() { | |||||
| } | } | ||||
| // Update webhook last delivery status. | // Update webhook last delivery status. | ||||
| w, err := GetWebhookByID(t.HookID) | |||||
| w, err := GetWebhookByID(t.RepoID, t.HookID) | |||||
| if err != nil { | if err != nil { | ||||
| log.Error(5, "GetWebhookByID: %v", err) | log.Error(5, "GetWebhookByID: %v", err) | ||||
| return | return | ||||
+ 1
- 1
routers/api/v1/repo/hook.go
View File
| @@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) { | |||||
| // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook | // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook | ||||
| func EditHook(ctx *context.APIContext, form api.EditHookOption) { | func EditHook(ctx *context.APIContext, form api.EditHookOption) { | ||||
| w, err := models.GetWebhookByID(ctx.ParamsInt64(":id")) | |||||
| w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id")) | |||||
| if err != nil { | if err != nil { | ||||
| if models.IsErrWebhookNotExist(err) { | if models.IsErrWebhookNotExist(err) { | ||||
| ctx.Status(404) | ctx.Status(404) | ||||
+ 1
- 1
routers/repo/webhook.go
View File
| @@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) { | |||||
| } | } | ||||
| ctx.Data["BaseLink"] = orCtx.Link | ctx.Data["BaseLink"] = orCtx.Link | ||||
| w, err := models.GetWebhookByID(ctx.ParamsInt64(":id")) | |||||
| w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id")) | |||||
| if err != nil { | if err != nil { | ||||
| if models.IsErrWebhookNotExist(err) { | if models.IsErrWebhookNotExist(err) { | ||||
| ctx.Handle(404, "GetWebhookByID", nil) | ctx.Handle(404, "GetWebhookByID", nil) | ||||
+ 1
- 1
templates/.VERSION
View File
| @@ -1 +1 @@ | |||||
| 0.9.37.0708 | |||||
| 0.9.38.0708 | |||||