|
@@ -192,6 +192,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
|
|
|
return
|
|
return
|
|
|
}
|
|
}
|
|
|
} else {
|
|
} else {
|
|
|
|
|
+ // 🚨 SECURITY: Do not allow editing if the target file is a symlink.
|
|
|
if entry.IsSymlink() {
|
|
if entry.IsSymlink() {
|
|
|
c.FormErr("TreePath")
|
|
c.FormErr("TreePath")
|
|
|
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
|
|
c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", part), tmplEditorEdit, &f)
|
|
@@ -205,7 +206,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
if !isNewFile {
|
|
if !isNewFile {
|
|
|
- _, err := c.Repo.Commit.TreeEntry(oldTreePath)
|
|
|
|
|
|
|
+ entry, err := c.Repo.Commit.TreeEntry(oldTreePath)
|
|
|
if err != nil {
|
|
if err != nil {
|
|
|
if gitutil.IsErrRevisionNotExist(err) {
|
|
if gitutil.IsErrRevisionNotExist(err) {
|
|
|
c.FormErr("TreePath")
|
|
c.FormErr("TreePath")
|
|
@@ -215,6 +216,14 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
|
|
|
}
|
|
}
|
|
|
return
|
|
return
|
|
|
}
|
|
}
|
|
|
|
|
+
|
|
|
|
|
+ // 🚨 SECURITY: Do not allow editing if the old file is a symlink.
|
|
|
|
|
+ if entry.IsSymlink() {
|
|
|
|
|
+ c.FormErr("TreePath")
|
|
|
|
|
+ c.RenderWithErr(c.Tr("repo.editor.file_is_a_symlink", oldTreePath), tmplEditorEdit, &f)
|
|
|
|
|
+ return
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
if lastCommit != c.Repo.CommitID {
|
|
if lastCommit != c.Repo.CommitID {
|
|
|
files, err := c.Repo.Commit.FilesChangedAfter(lastCommit)
|
|
files, err := c.Repo.Commit.FilesChangedAfter(lastCommit)
|
|
|
if err != nil {
|
|
if err != nil {
|
Joe Chen