Remote command execution

[5alt]

• Gogs version (or commit ref): newest(3a4c981)
• Can you reproduce the bug at https://try.gogs.io:
  • [ x] Yes (provide example URL)
  • No
  • Not relevant

Description

I can login to arbitrary account. And when I logged in as admin, I can execute any command by git hooks.

I just tried login to Unknown's account but do not perform command execution.

As this is a very severe issue, I won't post details here.

@unknwon can you give me your email address and I send the details to you?

[shaileshsharan98]

This is a very serious issue @unknwon and this is the email u@gogs.io @5alt

[unknwon]

Patch has pushed to fix this issue, please test on develop branch or https://try.gogs.io.

[5alt]

hi, the patch can be bypassed using ..\ in Windows. You should check .. actually.

if strings.ContainsAny(sid, "..") {
		return nil, errors.New("invalid 'sid': " + sid)
	}

[unknwon]

strings.ContainsAny checks any substring of second argument, so even "..\" should work:

https://play.golang.org/p/z2QN4ReKbfT