Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitea grants 0750 rights to uploaded avatars #22161

Closed
Izorkin opened this issue Dec 18, 2022 · 4 comments · Fixed by #22162
Closed

Gitea grants 0750 rights to uploaded avatars #22161

Izorkin opened this issue Dec 18, 2022 · 4 comments · Fixed by #22162
Labels
type/bug

Comments

@Izorkin
Copy link

Izorkin commented Dec 18, 2022
edited
Loading

Description

Gitea grants 0750 rights to uploaded avatars

ls -lah /var/lib/gitea/data/avatars

total 316K
drwxr-xr-x  3 gitea gitea 4.0K Dec 18 13:33 .
drwxr-xr-x 13 gitea gitea 4.0K Dec 18 13:05 ..
-rwxr-x---  1 gitea gitea 301K Dec 18 13:33 11be58ba3ef76ecc7ff4664e077d5c62
drwxr-xr-x  2 gitea gitea 4.0K Dec 18 13:33 tmp

Required grants - 0650 0640.

Gitea Version

1.18-dev

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

NixOS

How are you running Gitea?

Using gitea module in OS NixOS.

Database

None
zeripath added a commit to zeripath/gitea that referenced this issue Dec 18, 2022
@zeripath
Local storage should not store files as executable
dec8ffc 
The PR go-gitea#21198 introduced a probable security vulnerability which resulted in making all
storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix go-gitea#22161

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this issue Dec 18, 2022
Merged
zeripath added a commit to zeripath/gitea that referenced this issue Dec 18, 2022
@zeripath
Local storage should not store files as executable (go-gitea#22162)
6b599cd 
Backport go-gitea#22162

The PR go-gitea#21198 introduced a probable security vulnerability which resulted in making all
storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix go-gitea#22161

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this issue Dec 18, 2022
Merged
@zeripath
Copy link
Contributor

🤦

@Izorkin
Copy link
Author

Izorkin commented Dec 18, 2022

@zeripath thanks. fixed.

@zeripath
Copy link
Contributor

@Izorkin do you mean the pr fixes the problem?

It's probably better to comment on the PR directly to indicate that you think it's correct.

@Izorkin
Copy link
Author

Izorkin commented Dec 18, 2022

@Izorkin do you mean the pr fixes the problem?

Yes, fixed my problem.

lafriks pushed a commit that referenced this issue Dec 18, 2022
@zeripath
Local storage should not store files as executable (#22162) (#22163)
56bded9 
Backport #22162

The PR #21198 introduced a probable security vulnerability which
resulted in making all storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix #22161

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
lunny pushed a commit that referenced this issue Dec 19, 2022
@zeripath
Local storage should not store files as executable (#22162)
a89b399 
The PR #21198 introduced a probable security vulnerability which
resulted in making all storage files be marked as executable.

This PR ensures that these are forcibly marked as non-executable.

Fix #22161

Signed-off-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Local storage should not store files as executable zeripath/gitea
2 participants
@zeripath @Izorkin