0
0
mirror of https://github.com/go-gitea/gitea.git synced 2025-10-25 02:45:25 -04:00

Fix GitHub release assets URL validation (#35287) (#35290)

Backport #35287 by @alexblackie

GitHub changed where the attachments on releases are stored, which means
repo migrations with releases now fail because the redirect URLs don't
match the base URL validation. We need to update the base URL check to
check for the `release-assets` subdomain as well.

Co-authored-by: Alex Blackie <alex@blackie.ca>
This commit is contained in:
Giteabot
2025-08-16 10:43:59 +08:00
committed by GitHub
parent f3e6672c09
commit ac03e65cf4

View File

@@ -354,7 +354,8 @@ func (g *GithubDownloaderV3) convertGithubRelease(ctx context.Context, rel *gith
// Prevent open redirect // Prevent open redirect
if !hasBaseURL(redirectURL, g.baseURL) && if !hasBaseURL(redirectURL, g.baseURL) &&
!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") { !hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") &&
!hasBaseURL(redirectURL, "https://release-assets.githubusercontent.com/") {
WarnAndNotice("Unexpected AssetURL for assetID[%d] in %s: %s", asset.GetID(), g, redirectURL) WarnAndNotice("Unexpected AssetURL for assetID[%d] in %s: %s", asset.GetID(), g, redirectURL)
return io.NopCloser(strings.NewReader(redirectURL)), nil return io.NopCloser(strings.NewReader(redirectURL)), nil