1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-24 08:57:03 -05:00
forgejo/routers/web
Giteabot 4ffa683820
Fix panic in storageHandler (#27446) (#27478)
Backport #27446 by @sryze

storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).

Example CURL command to trigger the panic:

```
curl -I "http://yourhost/gitea//avatars/a"
```

Fixes #27409

---

Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.

Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)

Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
2023-10-06 16:51:04 +02:00
..
admin Fix admin queue page title and fix CI failures (#26409) (#26421) 2023-08-10 11:04:48 +02:00
auth Replace interface{} with any (#25686) (#25687) 2023-07-04 23:41:32 -04:00
devtest Make "cancel" buttons have proper type in modal forms (#25618) (#25641) 2023-07-03 17:09:38 +08:00
events Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
explore Replace interface{} with any (#25686) (#25687) 2023-07-04 23:41:32 -04:00
feed Pass 'not' to commit count (#24473) 2023-05-08 07:10:53 +00:00
healthcheck Refactor setting.Database.UseXXX to methods (#23354) 2023-03-07 18:51:06 +08:00
misc Decouple the different contexts from each other (#24786) 2023-05-21 09:50:53 +08:00
org fix incorrect repo url when changed the case of ownername (#25733) (#25881) 2023-07-15 19:47:24 +02:00
repo When comparing with an non-exist repository, return 404 but 500 (#27437) (#27441) 2023-10-04 14:27:42 +00:00
shared Fix typo of RunerOwnerID (#26508) (#26528) 2023-08-16 06:28:39 +00:00
user fix pagination for followers and following (#27127) (#27138) 2023-09-19 16:03:01 +00:00
auth.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
auth_windows.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
base.go Fix panic in storageHandler (#27446) (#27478) 2023-10-06 16:51:04 +02:00
goget.go Support SSH for go get (#24664) 2023-05-12 09:44:37 +00:00
home.go Refactor cookie (#24107) 2023-04-13 15:45:33 -04:00
metrics.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
nodeinfo.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
swagger_json.go Group template helper functions, remove Printf, improve template error messages (#23982) 2023-04-08 21:15:22 +08:00
web.go Allow get release download files and lfs files with oauth2 token format (#26430) (#27378) 2023-10-01 19:54:15 +08:00
webfinger.go Replace interface{} with any (#25686) (#25687) 2023-07-04 23:41:32 -04:00