Commit c5e3517a authored by Jacob Vosmaer's avatar Jacob Vosmaer

Do not leak repo existence information too early

parent 32220657
...@@ -74,13 +74,6 @@ func git_handler(w http.ResponseWriter, r *http.Request) { ...@@ -74,13 +74,6 @@ func git_handler(w http.ResponseWriter, r *http.Request) {
for _, g := range git_services { for _, g := range git_services {
path_match := g.regexp.FindStringSubmatch(r.URL.Path) path_match := g.regexp.FindStringSubmatch(r.URL.Path)
if r.Method == g.method && path_match != nil { if r.Method == g.method && path_match != nil {
// Validate the path to the Git repository
found_path := path_match[1]
if !valid_path(found_path) {
http.Error(w, "Not found", 404)
return
}
// Ask the auth backend if the request is allowed, and what the // Ask the auth backend if the request is allowed, and what the
// user ID (GL_ID) is. // user ID (GL_ID) is.
auth_response, err := do_auth_request(r) auth_response, err := do_auth_request(r)
...@@ -110,6 +103,13 @@ func git_handler(w http.ResponseWriter, r *http.Request) { ...@@ -110,6 +103,13 @@ func git_handler(w http.ResponseWriter, r *http.Request) {
return return
} }
// Validate the path to the Git repository
found_path := path_match[1]
if !valid_path(found_path) {
http.Error(w, "Not found", 404)
return
}
g.handle_func(user, g.rpc, path.Join(repo_root, found_path), w, r) g.handle_func(user, g.rpc, path.Join(repo_root, found_path), w, r)
return return
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment