From 8b049da3c7317769dda228e401478b807af62795 Mon Sep 17 00:00:00 2001 From: Catherine Date: Sun, 7 Dec 2025 12:55:41 +0000 Subject: [PATCH] Treat `allowed-repository-url-prefixes = []` the same as unspecified. Previously, this would disallow all git clones except for those via wildcard domains. This is highly unintuitive. It also meant that disabling this function via environment variable was not possible. --- conf/config.example.toml | 2 +- src/auth.go | 4 ++-- src/config.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/config.example.toml b/conf/config.example.toml index 6de2997..e7f528b 100644 --- a/conf/config.example.toml +++ b/conf/config.example.toml @@ -51,7 +51,7 @@ max-symlink-depth = 16 update-timeout = "60s" max-heap-size-ratio = 0.5 # * RAM_size forbidden-domains = [] -# allowed-repository-url-prefixes = +allowed-repository-url-prefixes = [] allowed-custom-headers = ["X-Clacks-Overhead"] [audit] diff --git a/src/auth.go b/src/auth.go index 0379467..e99177a 100644 --- a/src/auth.go +++ b/src/auth.go @@ -436,7 +436,7 @@ func AuthorizeUpdateFromRepository(r *http.Request) (*Authorization, error) { } func checkAllowedURLPrefix(repoURL string) error { - if config.Limits.AllowedRepositoryURLPrefixes != nil { + if len(config.Limits.AllowedRepositoryURLPrefixes) > 0 { allowedPrefix := false repoURL = strings.ToLower(repoURL) for _, allowedRepoURLPrefix := range config.Limits.AllowedRepositoryURLPrefixes { @@ -658,7 +658,7 @@ func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) { return auth, nil } - if config.Limits.AllowedRepositoryURLPrefixes != nil { + if len(config.Limits.AllowedRepositoryURLPrefixes) > 0 { causes = append(causes, AuthError{http.StatusUnauthorized, "DNS challenge not allowed"}) } else { // DNS challenge gives absolute authority. diff --git a/src/config.go b/src/config.go index c87c82f..2866b93 100644 --- a/src/config.go +++ b/src/config.go @@ -140,7 +140,7 @@ type LimitsConfig struct { // List of domains unconditionally forbidden for uploads. ForbiddenDomains []string `toml:"forbidden-domains" default:"[]"` // List of allowed repository URL prefixes. Setting this option prohibits uploading archives. - AllowedRepositoryURLPrefixes []string `toml:"allowed-repository-url-prefixes"` + AllowedRepositoryURLPrefixes []string `toml:"allowed-repository-url-prefixes" default:"[]"` // List of allowed custom headers. Header name must be in the MIME canonical form, // e.g. `Foo-Bar`. Setting this option permits including this custom header in `_headers`, // unless it is fundamentally unsafe.