Open ahorseman opened 1 day ago
How to reproduce? Do you mean doing something on the Gitea's web UI, or do you mean something like git clone http://user:my/password@my-gitea.com/user/repo
on your machine?
showing the password string as plaintext in the error message
which error message and which page/UI? Could you use a fake password to capture a screenshot?
Is it really gitea end or git end? A backslash () will obviously cause issues in a cli git environment as this is an escape character
So depending on what was shown it was either git/bash responding locally for an ambiguous command or gitea echoing back (and yes that would be an interesting concern)
It is because it's not a valid URL format, /
must be replaced with %2F
Description
When using a password with a slash (potentially other special characters?) to authenticate to an existing git repository in order to clone it to Gitea, the password string gets cut at the slash and cloning / migration does not work.
Security risk: Gitea is showing the password string as plaintext in the error message (which made it though pretty obvious to me that the slash is the issue).
Gitea Version
1.21.10
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
It's running via Turnkey-Linux on a Proxmox server.
Database
None