OS Command Injection in file uploading #6968

unknwon · 2022-05-25T12:22:26Z

Describe the bug

The report on huntr.dev https://www.huntr.dev/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b/

Code of Conduct

I agree to follow this project's Code of Conduct

Link to the issue: gogs#6968

unknwon · 2022-05-31T11:36:58Z

The 0.12.8 has been released that includes the patch of the reported issue.

The security Advisory has been published at GHSA-958j-443g-7mm7.

unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels May 25, 2022

unknwon added this to the 0.13.0 milestone May 25, 2022

unknwon added this to Gogs Roadmap May 25, 2022

unknwon moved this to Todo in Gogs Roadmap May 25, 2022

1135 added a commit to 1135/gogs that referenced this issue May 26, 2022

repo_editor: check path

efbdafe

Link to the issue: gogs#6968

unknwon linked a pull request May 26, 2022 that will close this issue

repo_editor: prohibits uploading files to .git. directory #6970

Merged

3 tasks

unknwon modified the milestones: 0.13.0, 0.12.8 May 26, 2022

unknwon moved this from Todo to In Progress in Gogs Roadmap May 26, 2022

unknwon self-assigned this May 30, 2022

unknwon closed this as completed in #6970 May 30, 2022

Repository owner moved this from In Progress to Done in Gogs Roadmap May 30, 2022

github-actions bot locked as resolved and limited conversation to collaborators Aug 30, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OS Command Injection in file uploading #6968

OS Command Injection in file uploading #6968

OS Command Injection in file uploading #6968

OS Command Injection in file uploading #6968

Comments

Describe the bug

Code of Conduct