Goji routes incoming requests without first URL decoding the path, so
'%2F' in a URL will not be decoded to a '/' before routing. But by the
time that we perform the path checks for private urls on r.URL.Path,
these characters have been decoded.
As a consequence, a user 'foo' could use 'foo%2Fbar' as the repo name.
The private repo check would see that the path starts with 'foo/' and
allow it, and rest-server would happily create a 'foo/bar' repo. Other
more harmful variants are possible.
To resolve this issue, we now reject any name part that contains a '/'.
Additionally, we immediately reject a few other characters that are
disallowed under some operating systems or filesystems.
The directive "StartLimitInterval" has been replaced by [StartLimitIntervalSec=interval, StartLimitBurst=burst](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval). I'd suggest that the default backoff settings are fine (in Ubuntu 19.10 no more than 5 restarts per 10 seconds, else delayed by 10 seconds per attempt) so this directive can simply be removed.
* Add --max-size flag to limit repository size
* Only update repo size on successful write
* Use initial size as current size for first SaveBlob
* Apply LimitReader to request body
* Use HTTP 413 for size overage responses
* Refactor size limiting; do checks after every write
* Remove extra commented lines, d'oh
* Account for deleting blobs when counting space usage
* Remove extra commented line
* Fix unrelated bug (inverted err check)
* Update comment to trigger new CI build
In order to prevent users from accidentally exposing rest-server without
authentication, rest-server now defaults to requiring a .htpasswd. If
you want to disable authentication, you need to explicitly pass the new
--no-auth flag.
