mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-25 17:30:36 +00:00
[GITEA] fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers (cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead) (cherry picked from commitbebc244156
) (cherry picked from commit2a8cb675ca
)
This commit is contained in:
parent
9f8bf83b0e
commit
56d68932ac
1 changed files with 8 additions and 0 deletions
|
@ -198,11 +198,19 @@ func SoftDeleteContentHistory(ctx *context.Context) {
|
|||
log.Error("can not get comment for issue content history %v. err=%v", historyID, err)
|
||||
return
|
||||
}
|
||||
if comment.IssueID != issue.ID {
|
||||
ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
|
||||
return
|
||||
}
|
||||
}
|
||||
if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
|
||||
log.Error("can not get issue content history %v. err=%v", historyID, err)
|
||||
return
|
||||
}
|
||||
if history.IssueID != issue.ID {
|
||||
ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
|
||||
return
|
||||
}
|
||||
|
||||
canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history)
|
||||
if !canSoftDelete {
|
||||
|
|
Loading…
Reference in a new issue