1
0
Fork 0

[GITEA] fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7)
(cherry picked from commit 2d9d2979e6)
(cherry picked from commit 6483bceee2)
(cherry picked from commit 589d10a181)
This commit is contained in:
Loïc Dachary 2023-11-20 16:34:19 +01:00 committed by Earl Warren
parent f15a2c558a
commit d9da20aa9a
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -89,6 +89,10 @@ func IssuePinMove(ctx *context.Context) {
log.Error(err.Error()) log.Error(err.Error())
return return
} }
if issue.RepoID != ctx.Repo.Repository.ID {
ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
return
}
err = issue.MovePin(ctx, form.Position) err = issue.MovePin(ctx, form.Position)
if err != nil { if err != nil {