From d9da20aa9a765bebef7d54f59b12f8f28cf25c4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Mon, 20 Nov 2023 16:34:19 +0100 Subject: [PATCH] [GITEA] fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers (cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7) (cherry picked from commit 2d9d2979e674667cffeeafeef279f749d36bd2f5) (cherry picked from commit 6483bceee2827f8528c579ed4623744dcc61f856) (cherry picked from commit 589d10a181b21c890ab350712ec9fa5777a5c291) --- routers/web/repo/issue_pin.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/routers/web/repo/issue_pin.go b/routers/web/repo/issue_pin.go index f853f72335..11072c07a1 100644 --- a/routers/web/repo/issue_pin.go +++ b/routers/web/repo/issue_pin.go @@ -89,6 +89,10 @@ func IssuePinMove(ctx *context.Context) { log.Error(err.Error()) return } + if issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } err = issue.MovePin(ctx, form.Position) if err != nil {