Skip to content

Add config option for HTML render mode #3608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kookxiang opened this issue Sep 6, 2016 · 4 comments
Closed

Add config option for HTML render mode #3608

kookxiang opened this issue Sep 6, 2016 · 4 comments
Assignees
@unknwon
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security status: needs feedback Tell me more about it
Milestone
0.11

Comments

@kookxiang
Copy link

As in #2593 , you add a ?render=1 which could render html file instead of raw mode.

This may lead to a security problem.

  1. First, a user upload a repository, like https://try.gogs.io/kookxiang/demo
  2. Then, the user can send a link to admin with the render param, like: https://try.gogs.io/kookxiang/demo/raw/master/index.htm?render=1
  3. When other user access that page, my ssh key was insert into their setting. (check in https://try.gogs.io/user/settings/ssh , with this method, they could do anything you can do without password confirm)

Just like Github, an html cannot be render under github.com domain.
So they use a github.io domain to keep main domain secure.

Please remove this param, or at least move the option into config file.
@rugk
Copy link
Contributor

rugk commented Sep 7, 2016

Oh, this is a security vulnerability and you may have reported it privately to @unknwon. However once it is public now it should be fixed as fast as possible.

@unknwon unknwon changed the title Please don't render html XSS in HTML render mode Sep 9, 2016
@unknwon unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels Sep 9, 2016
@unknwon unknwon added this to the 0.10.0 milestone Sep 9, 2016
@unknwon unknwon self-assigned this Sep 9, 2016
@pgaskin
Copy link

pgaskin commented Jan 12, 2017
edited
Loading

I would like this option to remain because I depend on it, but it should be off by default for security reasons.

@pgaskin
Copy link

pgaskin commented Jan 17, 2017
edited
Loading

Have a look at go-gitea/gitea#685 . I have added an option which moves this into the config file.

@pgaskin pgaskin mentioned this issue Jan 17, 2017
Closed
6 tasks
@unknwon unknwon modified the milestones: 0.11.0, 0.10.0 Feb 11, 2017
@unknwon unknwon changed the title XSS in HTML render mode Add config option for HTML render mode Mar 17, 2017
unknwon added a commit that referenced this issue Mar 17, 2017
@unknwon
setting: add config option for raw file render mode (#3608)
b3c4a39 
Added '[repository] ENABLE_RAW_FILE_RENDER_MODE'.
@unknwon unknwon added the status: needs feedback Tell me more about it label Mar 17, 2017
@unknwon
Copy link
Member

unknwon commented Mar 17, 2017

Patch has pushed to fix this issue, please test on develop branch or https://try.gogs.io.

This is disabled by default, see details b3c4a39.

@unknwon unknwon closed this as completed Mar 23, 2017
@rugk rugk mentioned this issue Mar 23, 2017
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@unknwon unknwon

Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security status: needs feedback Tell me more about it
Projects
None yet
Milestone
0.11
Development

No branches or pull requests
4 participants
@kookxiang @unknwon @rugk @pgaskin