diff options
-rw-r--r-- | cmd/git-lfs-server/main.go | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/cmd/git-lfs-server/main.go b/cmd/git-lfs-server/main.go index 0652e87..b13f997 100644 --- a/cmd/git-lfs-server/main.go +++ b/cmd/git-lfs-server/main.go | |||
@@ -92,12 +92,13 @@ type batchResponse struct { | |||
92 | } | 92 | } |
93 | 93 | ||
94 | type handler struct { | 94 | type handler struct { |
95 | mc *minio.Client | 95 | mc *minio.Client |
96 | bucket string | 96 | bucket string |
97 | anonUser string | 97 | anonUser string |
98 | gitolitePath string | 98 | gitolitePath string |
99 | privateKey ed25519.PrivateKey | 99 | privateKey ed25519.PrivateKey |
100 | baseURL *url.URL | 100 | baseURL *url.URL |
101 | exportAllForwardedHosts []string | ||
101 | } | 102 | } |
102 | 103 | ||
103 | func isValidSHA256Hash(hash string) bool { | 104 | func isValidSHA256Hash(hash string) bool { |
@@ -566,6 +567,16 @@ func (h *handler) authorizeBatchAPI(w http.ResponseWriter, r *http.Request, or o | |||
566 | user := h.anonUser | 567 | user := h.anonUser |
567 | ctx := r.Context() | 568 | ctx := r.Context() |
568 | 569 | ||
570 | if or.operation == operationDownload { | ||
571 | // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host | ||
572 | forwardedHost := r.Header.Get("X-Forwarded-Host") | ||
573 | if forwardedHost != "" && slices.Contains(h.exportAllForwardedHosts, forwardedHost) { | ||
574 | // This is a forwarded host for which all repositories are exported, | ||
575 | // regardless of ownership configuration in Gitolite. | ||
576 | return true | ||
577 | } | ||
578 | } | ||
579 | |||
569 | if authz := r.Header.Get("Authorization"); authz != "" { | 580 | if authz := r.Header.Get("Authorization"); authz != "" { |
570 | if !strings.HasPrefix(authz, "Bearer ") { | 581 | if !strings.HasPrefix(authz, "Bearer ") { |
571 | makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest) | 582 | makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest) |
@@ -821,8 +832,10 @@ func main() { | |||
821 | baseURLStr := os.Getenv("BASE_URL") | 832 | baseURLStr := os.Getenv("BASE_URL") |
822 | listenHost := os.Getenv("LISTEN_HOST") | 833 | listenHost := os.Getenv("LISTEN_HOST") |
823 | listenPort := os.Getenv("LISTEN_PORT") | 834 | listenPort := os.Getenv("LISTEN_PORT") |
835 | exportAllForwardedHostsStr := os.Getenv("EXPORT_ALL_FORWARDED_HOSTS") | ||
824 | 836 | ||
825 | listenAddr := net.JoinHostPort(listenHost, listenPort) | 837 | listenAddr := net.JoinHostPort(listenHost, listenPort) |
838 | exportAllForwardedHosts := strings.Split(exportAllForwardedHostsStr, ",") | ||
826 | 839 | ||
827 | if gitolitePath == "" { | 840 | if gitolitePath == "" { |
828 | gitolitePath = "gitolite" | 841 | gitolitePath = "gitolite" |
@@ -879,7 +892,7 @@ func main() { | |||
879 | die("Fatal: failed to create S3 client: %s", err) | 892 | die("Fatal: failed to create S3 client: %s", err) |
880 | } | 893 | } |
881 | 894 | ||
882 | h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL} | 895 | h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL, exportAllForwardedHosts} |
883 | if err = http.ListenAndServe(listenAddr, h); err != nil { | 896 | if err = http.ListenAndServe(listenAddr, h); err != nil { |
884 | die("Fatal: failed to serve CGI: %s", err) | 897 | die("Fatal: failed to serve CGI: %s", err) |
885 | } | 898 | } |