summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorayb <ayb@3hg.fr>2021-06-26 00:38:27 +0200
committerGitHub <noreply@github.com>2021-06-26 00:38:27 +0200
commit9b33d18899b7e825e4754969ffcc9d7b541d2d28 (patch)
tree0e6a0ea1f7062b18cdaa426b3d2eb42d9ca7ac2a
parentFuzzer finds an NPE due to incorrect URLPrefix (#16249) (diff)
downloadforgejo-9b33d18899b7e825e4754969ffcc9d7b541d2d28.tar.xz
forgejo-9b33d18899b7e825e4754969ffcc9d7b541d2d28.zip
Added support for gopher URLs. (#14749)
* Added support for gopher URLs. * Add setting and make this user settable instead Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
-rw-r--r--custom/conf/app.example.ini2
-rw-r--r--docs/content/doc/advanced/config-cheat-sheet.en-us.md1
-rw-r--r--modules/setting/service.go12
-rw-r--r--modules/validation/binding.go19
-rw-r--r--modules/validation/helpers.go19
-rw-r--r--services/forms/user_form.go2
6 files changed, 54 insertions, 1 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 5adfb0546f..fa6a9e3fac 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -705,6 +705,8 @@ PATH =
;;
;; Minimum amount of time a user must exist before comments are kept when the user is deleted.
;USER_DELETE_WITH_COMMENTS_MAX_TIME = 0
+;; Valid site url schemes for user profiles
+;VALID_SITE_URL_SCHEMES=http,https
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 5e976174fb..aa9eb7e0ca 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -519,6 +519,7 @@ relation to port exhaustion.
- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
- `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
+- `VALID_SITE_URL_SCHEMES`: **http, https**: Valid site url schemes for user profiles
### Service - Expore (`service.explore`)
diff --git a/modules/setting/service.go b/modules/setting/service.go
index 41e834e8e6..bd70c7e6eb 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -6,6 +6,7 @@ package setting
import (
"regexp"
+ "strings"
"time"
"code.gitea.io/gitea/modules/log"
@@ -55,6 +56,7 @@ var Service struct {
AutoWatchOnChanges bool
DefaultOrgMemberVisible bool
UserDeleteWithCommentsMaxTime time.Duration
+ ValidSiteURLSchemes []string
// OpenID settings
EnableOpenIDSignIn bool
@@ -120,6 +122,16 @@ func newService() {
Service.DefaultOrgVisibilityMode = structs.VisibilityModes[Service.DefaultOrgVisibility]
Service.DefaultOrgMemberVisible = sec.Key("DEFAULT_ORG_MEMBER_VISIBLE").MustBool()
Service.UserDeleteWithCommentsMaxTime = sec.Key("USER_DELETE_WITH_COMMENTS_MAX_TIME").MustDuration(0)
+ sec.Key("VALID_SITE_URL_SCHEMES").MustString("http,https")
+ Service.ValidSiteURLSchemes = sec.Key("VALID_SITE_URL_SCHEMES").Strings(",")
+ schemes := make([]string, len(Service.ValidSiteURLSchemes))
+ for _, scheme := range Service.ValidSiteURLSchemes {
+ scheme = strings.ToLower(strings.TrimSpace(scheme))
+ if scheme != "" {
+ schemes = append(schemes, scheme)
+ }
+ }
+ Service.ValidSiteURLSchemes = schemes
if err := Cfg.Section("service.explore").MapTo(&Service.Explore); err != nil {
log.Fatal("Failed to map service.explore settings: %v", err)
diff --git a/modules/validation/binding.go b/modules/validation/binding.go
index 4cef48daf3..5d5c64611f 100644
--- a/modules/validation/binding.go
+++ b/modules/validation/binding.go
@@ -55,6 +55,7 @@ func CheckGitRefAdditionalRulesValid(name string) bool {
func AddBindingRules() {
addGitRefNameBindingRule()
addValidURLBindingRule()
+ addValidSiteURLBindingRule()
addGlobPatternRule()
addRegexPatternRule()
addGlobOrRegexPatternRule()
@@ -102,6 +103,24 @@ func addValidURLBindingRule() {
})
}
+func addValidSiteURLBindingRule() {
+ // URL validation rule
+ binding.AddRule(&binding.Rule{
+ IsMatch: func(rule string) bool {
+ return strings.HasPrefix(rule, "ValidSiteUrl")
+ },
+ IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
+ str := fmt.Sprintf("%v", val)
+ if len(str) != 0 && !IsValidSiteURL(str) {
+ errs.Add([]string{name}, binding.ERR_URL, "Url")
+ return false, errs
+ }
+
+ return true, errs
+ },
+ })
+}
+
func addGlobPatternRule() {
binding.AddRule(&binding.Rule{
IsMatch: func(rule string) bool {
diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go
index c22e667a2e..343261aac5 100644
--- a/modules/validation/helpers.go
+++ b/modules/validation/helpers.go
@@ -52,6 +52,25 @@ func IsValidURL(uri string) bool {
return true
}
+// IsValidSiteURL checks if URL is valid
+func IsValidSiteURL(uri string) bool {
+ u, err := url.ParseRequestURI(uri)
+ if err != nil {
+ return false
+ }
+
+ if !validPort(portOnly(u.Host)) {
+ return false
+ }
+
+ for _, scheme := range setting.Service.ValidSiteURLSchemes {
+ if scheme == u.Scheme {
+ return true
+ }
+ }
+ return false
+}
+
// IsAPIURL checks if URL is current Gitea instance API URL
func IsAPIURL(uri string) bool {
return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api"))
diff --git a/services/forms/user_form.go b/services/forms/user_form.go
index 2c065dc511..903a625da0 100644
--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@@ -226,7 +226,7 @@ type UpdateProfileForm struct {
Name string `binding:"AlphaDashDot;MaxSize(40)"`
FullName string `binding:"MaxSize(100)"`
KeepEmailPrivate bool
- Website string `binding:"ValidUrl;MaxSize(255)"`
+ Website string `binding:"ValidSiteUrl;MaxSize(255)"`
Location string `binding:"MaxSize(50)"`
Language string
Description string `binding:"MaxSize(255)"`