.

ad2b32f0 · Kirill Smelkov · d33010bb · ad2b32f0
Commit ad2b32f0 authored Dec 04, 2015 by Kirill Smelkov
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 5 deletions

blob.go blob.go +14 -5

No files found.
--- a/blob.go
+++ b/blob.go
@@ -14,6 +14,7 @@ import (
 	"log"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"regexp"
 	"strings"
 	"sync"
@@ -220,17 +221,25 @@ var rawRe = regexp.MustCompile(`/raw/`)
 func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
 	// Extract project & refpath
 	// <project>/raw/branch/file -> <project>, branch/file
-	url := r.Request.URL
+	u := r.Request.URL // XXX naming
-	rawLoc := rawRe.FindStringIndex(url.Path)
+	rawLoc := rawRe.FindStringIndex(u.Path)
 	if rawLoc == nil {
 		fail500(w, "extract project name", nil) // XXX err=nil
 		return
 	}
-	project := url.Path[:rawLoc[0]]
+	project := u.Path[:rawLoc[0]]
-	refpath := url.Path[rawLoc[1]:]
+	refpath := u.Path[rawLoc[1]:]
+	// Extract only tokens from query
+	query := url.Values{}
+	for k, v := range u.Query() {
+		if strings.HasSuffix(k, "_token") {
+			query[k] = v
+		}
+	}
 	// Query download access auth for this project
-	authReply := verifyDownloadAccess(r.u, project, url.RawQuery)
+	authReply := verifyDownloadAccess(r.u, project, query.Encode())
 	if authReply.RepoPath == "" {
 		// access denied - copy auth reply to client in full -
 		// there are HTTP code and other headers / body relevant for