From 15c3d14d554f95423ea34ceeb0dc91bc479861f2 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 16 Dec 2016 19:42:39 +0800 Subject: [PATCH] fixed vulnerabilities on deleting release (#399) --- models/release.go | 9 ++++++++- routers/repo/release.go | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/models/release.go b/models/release.go index c047b2f557..41fd145bea 100644 --- a/models/release.go +++ b/models/release.go @@ -189,7 +189,7 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) { } // DeleteReleaseByID deletes a release and corresponding Git tag by given ID. -func DeleteReleaseByID(id int64) error { +func DeleteReleaseByID(id int64, u *User) error { rel, err := GetReleaseByID(id) if err != nil { return fmt.Errorf("GetReleaseByID: %v", err) @@ -200,6 +200,13 @@ func DeleteReleaseByID(id int64) error { return fmt.Errorf("GetRepositoryByID: %v", err) } + has, err := HasAccess(u, repo, AccessModeWrite) + if err != nil { + return fmt.Errorf("HasAccess: %v", err) + } else if !has { + return fmt.Errorf("DeleteReleaseByID: permission denied") + } + _, stderr, err := process.ExecDir(-1, repo.RepoPath(), fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID), "git", "tag", "-d", rel.TagName) diff --git a/routers/repo/release.go b/routers/repo/release.go index 7616d9e79e..dc5a54c6fb 100644 --- a/routers/repo/release.go +++ b/routers/repo/release.go @@ -296,7 +296,7 @@ func EditReleasePost(ctx *context.Context, form auth.EditReleaseForm) { // DeleteRelease delete a release func DeleteRelease(ctx *context.Context) { - if err := models.DeleteReleaseByID(ctx.QueryInt64("id")); err != nil { + if err := models.DeleteReleaseByID(ctx.QueryInt64("id"), ctx.User); err != nil { ctx.Flash.Error("DeleteReleaseByID: " + err.Error()) } else { ctx.Flash.Success(ctx.Tr("repo.release.deletion_success"))