mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-29 22:31:28 +00:00
0c67849e68
**Newline injection into the Debian Release and Packages indices** The `distribution` and `component` come straight from the request path and are written line by line into the generated `Release` and `Packages` files (the `Suite`/`Codename`/`Components` lines and the `Filename: pool/<distribution>/<component>/...` line), but `UploadPackageFile` only checked they were non-empty. `ctx.PathParam` url-decodes the segment, so an encoded newline such as `main%0AInjected-Field: x` is accepted, stored and then re-emitted for that distribution, which lets an authenticated uploader forge extra fields in the index apt consumes. Restricted both values to a conservative name pattern in the handler, since that is the layer that accepts them; this should also keep the pool paths well formed. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>