diff options
Diffstat (limited to 'cmd/git-lfs-server')
| -rw-r--r-- | cmd/git-lfs-server/main.go | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/cmd/git-lfs-server/main.go b/cmd/git-lfs-server/main.go index 0652e87..b13f997 100644 --- a/cmd/git-lfs-server/main.go +++ b/cmd/git-lfs-server/main.go | |||
| @@ -92,12 +92,13 @@ type batchResponse struct { | |||
| 92 | } | 92 | } |
| 93 | 93 | ||
| 94 | type handler struct { | 94 | type handler struct { |
| 95 | mc *minio.Client | 95 | mc *minio.Client |
| 96 | bucket string | 96 | bucket string |
| 97 | anonUser string | 97 | anonUser string |
| 98 | gitolitePath string | 98 | gitolitePath string |
| 99 | privateKey ed25519.PrivateKey | 99 | privateKey ed25519.PrivateKey |
| 100 | baseURL *url.URL | 100 | baseURL *url.URL |
| 101 | exportAllForwardedHosts []string | ||
| 101 | } | 102 | } |
| 102 | 103 | ||
| 103 | func isValidSHA256Hash(hash string) bool { | 104 | func isValidSHA256Hash(hash string) bool { |
| @@ -566,6 +567,16 @@ func (h *handler) authorizeBatchAPI(w http.ResponseWriter, r *http.Request, or o | |||
| 566 | user := h.anonUser | 567 | user := h.anonUser |
| 567 | ctx := r.Context() | 568 | ctx := r.Context() |
| 568 | 569 | ||
| 570 | if or.operation == operationDownload { | ||
| 571 | // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host | ||
| 572 | forwardedHost := r.Header.Get("X-Forwarded-Host") | ||
| 573 | if forwardedHost != "" && slices.Contains(h.exportAllForwardedHosts, forwardedHost) { | ||
| 574 | // This is a forwarded host for which all repositories are exported, | ||
| 575 | // regardless of ownership configuration in Gitolite. | ||
| 576 | return true | ||
| 577 | } | ||
| 578 | } | ||
| 579 | |||
| 569 | if authz := r.Header.Get("Authorization"); authz != "" { | 580 | if authz := r.Header.Get("Authorization"); authz != "" { |
| 570 | if !strings.HasPrefix(authz, "Bearer ") { | 581 | if !strings.HasPrefix(authz, "Bearer ") { |
| 571 | makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest) | 582 | makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest) |
| @@ -821,8 +832,10 @@ func main() { | |||
| 821 | baseURLStr := os.Getenv("BASE_URL") | 832 | baseURLStr := os.Getenv("BASE_URL") |
| 822 | listenHost := os.Getenv("LISTEN_HOST") | 833 | listenHost := os.Getenv("LISTEN_HOST") |
| 823 | listenPort := os.Getenv("LISTEN_PORT") | 834 | listenPort := os.Getenv("LISTEN_PORT") |
| 835 | exportAllForwardedHostsStr := os.Getenv("EXPORT_ALL_FORWARDED_HOSTS") | ||
| 824 | 836 | ||
| 825 | listenAddr := net.JoinHostPort(listenHost, listenPort) | 837 | listenAddr := net.JoinHostPort(listenHost, listenPort) |
| 838 | exportAllForwardedHosts := strings.Split(exportAllForwardedHostsStr, ",") | ||
| 826 | 839 | ||
| 827 | if gitolitePath == "" { | 840 | if gitolitePath == "" { |
| 828 | gitolitePath = "gitolite" | 841 | gitolitePath = "gitolite" |
| @@ -879,7 +892,7 @@ func main() { | |||
| 879 | die("Fatal: failed to create S3 client: %s", err) | 892 | die("Fatal: failed to create S3 client: %s", err) |
| 880 | } | 893 | } |
| 881 | 894 | ||
| 882 | h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL} | 895 | h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL, exportAllForwardedHosts} |
| 883 | if err = http.ListenAndServe(listenAddr, h); err != nil { | 896 | if err = http.ListenAndServe(listenAddr, h); err != nil { |
| 884 | die("Fatal: failed to serve CGI: %s", err) | 897 | die("Fatal: failed to serve CGI: %s", err) |
| 885 | } | 898 | } |