peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: check that attachments belong to correct resource

Browse source 
It was possible to hijack attachments during update and create functions
to another owner as permissions to check they weren't already attached
to another resource and wasn't checked if it belonged to the repository
that was being operated on.
This commit is contained in:
Gusted 2026-02-11 08:16:51 +01:00 committed by Mathieu Fenniak
parent 68b2930caa
commit ce0a376723
7 changed files with 93 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

2
routers/web/repo/issue.go
View file

@ -3682,7 +3682,7 @@ func updateAttachments(ctx *context.Context, item any, files []string) error {
if len(files) > 0 {
switch content := item.(type) {
case *issues_model.Issue:
err = issues_model.UpdateIssueAttachments(ctx, content.ID, files)
err = issues_model.UpdateIssueAttachments(ctx, content, files)
case *issues_model.Comment:
err = content.UpdateAttachments(ctx, files)
default: