peter/go-gitea
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
4a6466cca5
go-gitea/modules
History
Hugo Landau 4a6466cca5
Remove environment variable parsing from SSH server 
This removes the environment variable parsing code from the SSH server,
which never worked in the first place. Since environment variable
passing doesn't appear to be necessary for the built-in SSH server to
work properly, it's removed to reduce attack surface rather than fixing
it.

The current code processes (untrusted) input in a buggy manner and
passes it to a process invocation which doesn't actually do anything. I
don't *think* this is an exploitable vulnerability but I haven't looked
at it in detail, and it wouldn't really surprise me if it was.

Closes #1935, an alternative proposal which which partially fixes the
environment variable handling but ultimately still leaves it broken.

Signed-off-by: Hugo Landau <hlandau@devever.net>
2018-06-17 23:14:23 +01:00
..
auth Add tag check to release draft creation (#3729) 2018-06-04 08:34:44 +03:00
avatar Use assert in legacy unit tests (#867) 2017-02-08 14:29:07 +08:00
base Symlink icons (#1416) (#3826) 2018-05-01 10:04:36 +03:00
cache Fix memcache support when value is returned as string always (#2924) 2017-11-16 15:06:34 +08:00
context fix not respecting landing page setting (#4209) 2018-06-15 11:42:46 +08:00
cron Add branch overiew page (#2108) 2017-10-26 08:49:16 +08:00
generate Implements generator cli for secrets (#3531) 2018-02-18 20:14:37 +02:00
highlight No highlighting for .txt files (#1922) 2017-06-09 19:39:16 -05:00
httplib Add sensitive headers (#3429) 2018-01-31 00:09:16 +02:00
indexer Global code search support (#3664) 2018-03-16 22:04:33 +08:00
lfs Fix path cleanup in multiple places (#3871) 2018-05-01 09:46:04 +08:00
log Fix lint errors (#2547) 2017-09-19 11:08:30 +03:00
mailer Add support for extra sendmail arguments (#2731) 2017-10-25 22:27:25 +03:00
markup markup: escape short wiki link (#4091) 2018-06-15 20:42:49 +08:00
minwinsvc Fix Git hooks not being executed on Windows when running as a service (#1149) 2017-03-09 09:27:43 +08:00
notification Notification - Step 1 (#523) 2016-12-31 00:44:54 +08:00
options Fix typos in models/ and modules/ (#1248) 2017-03-15 08:52:01 +08:00
private improve protected branch to add whitelist support (#2451) 2017-09-14 16:16:22 +08:00
process Fix run command race (#1470) 2017-11-13 22:51:45 +08:00
public Enable caching on assets and avatars (#3376) 2018-02-04 00:37:05 +02:00
search Global code search support (#3664) 2018-03-16 22:04:33 +08:00
setting Removed unnecessary line referencing LFS struct (#4113) 2018-06-04 21:07:42 +03:00
ssh Remove environment variable parsing from SSH server 2018-06-17 23:14:23 +01:00
sync Fix status table race condition (#1835) 2017-05-31 16:57:17 +08:00
templates Show second line by using >= 1 instead of > 1 (#4251) 2018-06-15 10:07:48 -04:00
test API endpoint for testing webhook (#3550) 2018-04-29 14:21:33 +08:00
user golint fixed for modules/user 2016-11-24 17:37:11 +08:00
util Fix #4081 Check for leading / in base before removing it (#4082) 2018-05-30 21:23:43 +08:00
validation Add tag check to release draft creation (#3729) 2018-06-04 08:34:44 +03:00