fixed vulnerabilities on deleting release (#399)

This commit is contained in:
Lunny Xiao 2016-12-16 19:42:39 +08:00 committed by GitHub
parent 8aeeed0a23
commit 15c3d14d55
2 changed files with 9 additions and 2 deletions

View file

@ -189,7 +189,7 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) {
} }
// DeleteReleaseByID deletes a release and corresponding Git tag by given ID. // DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
func DeleteReleaseByID(id int64) error { func DeleteReleaseByID(id int64, u *User) error {
rel, err := GetReleaseByID(id) rel, err := GetReleaseByID(id)
if err != nil { if err != nil {
return fmt.Errorf("GetReleaseByID: %v", err) return fmt.Errorf("GetReleaseByID: %v", err)
@ -200,6 +200,13 @@ func DeleteReleaseByID(id int64) error {
return fmt.Errorf("GetRepositoryByID: %v", err) return fmt.Errorf("GetRepositoryByID: %v", err)
} }
has, err := HasAccess(u, repo, AccessModeWrite)
if err != nil {
return fmt.Errorf("HasAccess: %v", err)
} else if !has {
return fmt.Errorf("DeleteReleaseByID: permission denied")
}
_, stderr, err := process.ExecDir(-1, repo.RepoPath(), _, stderr, err := process.ExecDir(-1, repo.RepoPath(),
fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID), fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
"git", "tag", "-d", rel.TagName) "git", "tag", "-d", rel.TagName)

View file

@ -296,7 +296,7 @@ func EditReleasePost(ctx *context.Context, form auth.EditReleaseForm) {
// DeleteRelease delete a release // DeleteRelease delete a release
func DeleteRelease(ctx *context.Context) { func DeleteRelease(ctx *context.Context) {
if err := models.DeleteReleaseByID(ctx.QueryInt64("id")); err != nil { if err := models.DeleteReleaseByID(ctx.QueryInt64("id"), ctx.User); err != nil {
ctx.Flash.Error("DeleteReleaseByID: " + err.Error()) ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
} else { } else {
ctx.Flash.Success(ctx.Tr("repo.release.deletion_success")) ctx.Flash.Success(ctx.Tr("repo.release.deletion_success"))