-
-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attachments accessible without authorization #4721
Comments
There are many cases where links might get leaked to another party (e.g. browser addon, some tool reading the download history, using untrusted chat services, proxy server...). |
The root cause: gitea/routers/routes/routes.go Lines 444 to 445 in b34996a
We should add some verifying for m.Post("/attachments", repo.UploadAttachment) .Where are we using POST to /attachments ?Upload attachments for repo/issue/comment only? At least needs login for sure. this issue existed at gogs too: |
To be fair, even images uploaded in a private repo on GitHub are accessible without authorization. I think another issue is tracking this same bug as I must have made the above comment somewhere before |
@adelowo
And I found that if remove the file from here: |
Tested as working in Gitea Version: 1.9.0+dev-61-g7ed65a98e. |
[x]
):Description
Attachments of a release on a private repository should not be accessible without authorization!
For example check the following private repo: https://try.gitea.io/norwin/test/releases
The release has an attachment, which can be accessed without authentication via
https://try.gitea.io/attachments/f3763540-6bf8-47c2-b2ce-0fa9c48f1e82
You could argue that the UUID provides security, but I would definitely feel safer if the attachments were protected by the same ACLs that govern the code-tarball associated with each release in case the direct link leaks somewhere.
The text was updated successfully, but these errors were encountered: