Issues with special chars in branch names

[nubenum]

• Gitea version (or commit ref): 575c109
• Git version: 2.15.0
• Operating system: alpine 3.7 (docker)
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant - try.gitea.io is offline (?)
• Log for redirect loop:

[Macaron] 2018-03-16 18:39:23: Started GET /user/test/src/bb%23c for 172.21.0.1
[Macaron] 2018-03-16 18:39:23: Completed GET /user/test/src/bb%23c 302 Found in 21.443435ms
[Macaron] 2018-03-16 18:39:23: Started GET /user/test/src/bb%23c/branch/bb for 172.21.0.1
[Macaron] 2018-03-16 18:39:23: Completed GET /user/test/src/bb%23c/branch/bb 302 Found in 16.817486ms
[Macaron] 2018-03-16 18:39:23: Started GET /user/test/src/bb%23c/branch/bb/branch/bb for 172.21.0.1
[Macaron] 2018-03-16 18:39:23: Completed GET /user/test/src/bb%23c/branch/bb/branch/bb 302 Found in 17.981283ms

Description

I admit it's a little stupid to use branch names that contain special characters (e.g. <>#ßä), but if you do, there are several issues:

On the dashboard/feed page at "[user] pushed to [branch]" (feeds.tmpl#L16) and possibly elsewhere, the legacy URL scheme is still used (/src/branch-name) and a redirect will occur to /src/branch/branch-name (repo.go#L622). With the branch name containing special chars, gitea gets caught in a redirect loop since for some reason the branch name is not trimmed as intended and thus appended over and over again (until failing with e.g. ERR_RESPONSE_HEADERS_TOO_BIG in Chrome). Removing the last references to the legacy URL scheme should help.

Using other links, such as the branch dropdown (branch_dropdown.tmpl#L13) in the repo view or the separate branch list ([repo]/branches/, list.tmpl#L44), it is working for chars like ßä.
However, branch names with URL relevant special chars, particularly the # (hash) are not escaped on the server side for the branches list (it works with the dropdown) and will thus result in a 404 since the part behind the hash never reaches the server.

The characters <> are also not always properly escaped. Sometimes they are stripped (dashboard), sometimes they are escaped (branches dropdown), and sometimes none of the two (href/clicking on entry in branch dropdown or branch list).
Particularly, creating a branch s<script>alert('XSS');</script>s makes it possible to create an XSS attack at src/branch/s<script>alert('XSS');</script>s (at least in Firefox, Chrome blocks it), by accessing the branch via the dropdown or the list. The unescaped injection occurs at branch_dropdown.tmpl#L50.

[jonasfranz]

How do you created a branch with special characters inside? I tried it via the gitea branch dropdown. New branch name must be a well formed git reference name and it resulted in this error: New branch name must be a well formed git reference name.

[nubenum]

Sorry, I used the local git (2.14.1 on ubuntu) command line: git checkout -b "s<script>alert('XSS');</script>s" and then pushed to gitea. According to https://mirrors.edge.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html, this (and names with the other special chars I mentioned) is a perfectly valid branch name.

[sapk]

This should be fixed by #3691

[nubenum]

The XSS part is fixed, but the other problems are not. Are you planning to not fix them because they are too unimportant? I can try to fix them, I was just reluctant because I'm not familiar with go and the project itself.

[lafriks]

Sorry issue was automatically closed when merging PR. For other issues it would be great if you could submit PR