vh/rest-server
1
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-12-07 09:36:13 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Move changelog files for 0.11.0

Browse Source
This commit is contained in:
Alexander Neumann
2022-02-10 19:53:14 +01:00
parent b739e22b04
commit 057ef39525
10 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
changelog/0.11.0_2022-02-10/issue-131 Normal file
View File

@@ -0,0 +1,16 @@
Security: Prevent loading of usernames containing a slash
"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.
This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".
This prevents requests to other users files like:
curl -v -X DELETE -u foo/config:attack http://localhost:8000/foo/config
https://github.com/restic/rest-server/issues/131
https://github.com/restic/rest-server/pull/132
https://github.com/restic/rest-server/pull/137