Skip to content

Path Traversal in file editing UI and API (GHSA-r7j8-5h9c-f6fx, GHSA-qf5v-rp47-55gg) #7582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
ManassehZhou opened this issue Oct 27, 2023 · 1 comment · Fixed by #7859
Closed
1 task done

Path Traversal in file editing UI and API (GHSA-r7j8-5h9c-f6fx, GHSA-qf5v-rp47-55gg) #7582

ManassehZhou opened this issue Oct 27, 2023 · 1 comment · Fixed by #7859
Assignees
@unknwon
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Milestone
0.13.1

Comments

@ManassehZhou
Copy link

Describe the bug

detailed information has been sent to ([email protected])

Code of Conduct

  • I agree to follow this project's Code of Conduct
@unknwon unknwon added this to the 0.13.1 milestone Dec 9, 2024
@unknwon unknwon self-assigned this Dec 9, 2024
@unknwon unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels Dec 9, 2024
@unknwon
Copy link
Member

unknwon commented Dec 9, 2024
edited
Loading

GHSA created for this report:

They are currently private, will publish 14 days after 0.13.1 is released.

@unknwon unknwon changed the title RCE vulnerability in GOGS Remote Command Execution in file editing Dec 9, 2024
@unknwon unknwon changed the title Remote Command Execution in file editing Remote Command Execution in file editing (GHSA-r7j8-5h9c-f6fx) Dec 9, 2024
@unknwon unknwon mentioned this issue Dec 9, 2024
Merged
3 tasks
unknwon added a commit that referenced this issue Dec 9, 2024
@unknwon
repo/editor: disallow editing symlink while changing file name (#7857)
c94baec 
## Describe the pull request

Link to the issue: #7582
@unknwon unknwon changed the title Remote Command Execution in file editing (GHSA-r7j8-5h9c-f6fx) Path Traversal in file editing UI and API (GHSA-r7j8-5h9c-f6fx, GHSA-qf5v-rp47-55gg) Dec 15, 2024
@unknwon unknwon mentioned this issue Dec 15, 2024
Merged
3 tasks
unknwon added a commit that referenced this issue Dec 15, 2024
@unknwon
api: clean file path for updating repo contents (#7859)
9a9388a 
## Describe the pull request

Link to the issue: closes #7582
unknwon added a commit that referenced this issue Dec 22, 2024
@unknwon
repo/editor: disallow editing symlink while changing file name (#7857)
40cb106 
## Describe the pull request

Link to the issue: #7582
unknwon added a commit that referenced this issue Dec 22, 2024
@unknwon
api: clean file path for updating repo contents (#7859)
c947aff 
## Describe the pull request

Link to the issue: closes #7582
This was referenced Dec 23, 2024
Closed
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@unknwon unknwon

Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Projects
None yet
Milestone
0.13.1
Development

Successfully merging a pull request may close this issue.

api: clean file path for updating repo contents gogs/gogs
2 participants
@ManassehZhou @unknwon