mirror of
1
Fork 0
forgejo/routers/web
Giteabot 5b670d83e1
Fix panic in storageHandler (#27446) (#27479)
Backport #27446 by @sryze

storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).

Example CURL command to trigger the panic:

```
curl -I "http://yourhost/gitea//avatars/a"
```

Fixes #27409

---

Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.

Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)

Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
2023-10-06 16:51:26 +02:00
..
admin Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
auth Another round of `db.DefaultContext` refactor (#27103) (#27262) 2023-09-25 19:24:35 +02:00
devtest Make "cancel" buttons have proper type in modal forms (#25618) 2023-07-03 14:04:50 +08:00
events Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
explore Next round of `db.DefaultContext` refactor (#27089) 2023-09-16 14:39:12 +00:00
feed More `db.DefaultContext` refactor (#27265) (#27347) 2023-09-29 13:35:01 +00:00
healthcheck Remove `db.DefaultContext` in `routers/` and `cmd/` (#26076) 2023-07-23 23:47:27 -04:00
misc Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
org More `db.DefaultContext` refactor (#27265) (#27347) 2023-09-29 13:35:01 +00:00
repo When comparing with an non-exist repository, return 404 but 500 (#27437) (#27442) 2023-10-04 14:41:57 +00:00
shared Introduce fixes and more rigorous tests for 'Show on a map' feature (#26803) (#27365) 2023-09-30 15:58:35 +00:00
user Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
base.go Fix panic in storageHandler (#27446) (#27479) 2023-10-06 16:51:26 +02:00
goget.go Support SSH for go get (#24664) 2023-05-12 09:44:37 +00:00
home.go Reduce usage of `db.DefaultContext` (#27073) 2023-09-14 17:09:32 +00:00
metrics.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
nodeinfo.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
swagger_json.go Start using template context function (#26254) 2023-08-08 01:22:47 +00:00
web.go Allow get release download files and lfs files with oauth2 token format (#26430) (#27379) 2023-10-01 19:54:11 +08:00
webfinger.go Add a link to OpenID Issuer URL in WebFinger response (#26000) 2023-07-20 16:02:45 +08:00