Closed nubenum closed 6 years ago
How do you created a branch with special characters inside? I tried it via the gitea branch dropdown. New branch name must be a well formed git reference name and it resulted in this error: New branch name must be a well formed git reference name.
Sorry, I used the local git (2.14.1 on ubuntu) command line: git checkout -b "s<script>alert('XSS');</script>s"
and then pushed to gitea. According to https://mirrors.edge.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html, this (and names with the other special chars I mentioned) is a perfectly valid branch name.
This should be fixed by #3691
The XSS part is fixed, but the other problems are not. Are you planning to not fix them because they are too unimportant? I can try to fix them, I was just reluctant because I'm not familiar with go and the project itself.
Sorry issue was automatically closed when merging PR. For other issues it would be great if you could submit PR
[x]
):Description
I admit it's a little stupid to use branch names that contain special characters (e.g.
<>#ßä
), but if you do, there are several issues:On the dashboard/feed page at "[user] pushed to [branch]" (feeds.tmpl#L16) and possibly elsewhere, the legacy URL scheme is still used (/src/branch-name) and a redirect will occur to /src/branch/branch-name (repo.go#L622). With the branch name containing special chars, gitea gets caught in a redirect loop since for some reason the branch name is not trimmed as intended and thus appended over and over again (until failing with e.g. ERR_RESPONSE_HEADERS_TOO_BIG in Chrome). Removing the last references to the legacy URL scheme should help.
Using other links, such as the branch dropdown (branch_dropdown.tmpl#L13) in the repo view or the separate branch list ([repo]/branches/, list.tmpl#L44), it is working for chars like
ßä
. However, branch names with URL relevant special chars, particularly the#
(hash) are not escaped on the server side for the branches list (it works with the dropdown) and will thus result in a 404 since the part behind the hash never reaches the server.The characters
<>
are also not always properly escaped. Sometimes they are stripped (dashboard), sometimes they are escaped (branches dropdown), and sometimes none of the two (href/clicking on entry in branch dropdown or branch list). Particularly, creating a branchs<script>alert('XSS');</script>s
makes it possible to create an XSS attack atsrc/branch/s<script>alert('XSS');</script>s
(at least in Firefox, Chrome blocks it), by accessing the branch via the dropdown or the list. The unescaped injection occurs at branch_dropdown.tmpl#L50.