Template
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo synced 2024-11-24 02:36:10 +01:00

Prevent Authorization header for presigned LFS urls (#21531) (#21569)

Backport of #21531

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
KN4CK3R 2022-10-24 05:18:31 +02:00 committed by GitHub
parent 92b5f48c40
commit 6b7ce726c2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa
} }
if download { if download {
rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header} var link *lfs_module.Link
if setting.LFS.ServeDirect { if setting.LFS.ServeDirect {
// If we have a signed url (S3, object storage), redirect to this directly. // If we have a signed url (S3, object storage), redirect to this directly.
u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid) u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid)
if u != nil && err == nil { if u != nil && err == nil {
rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header} // Presigned url does not need the Authorization header
// https://github.com/go-gitea/gitea/issues/21525
delete(header, "Authorization")
link = &lfs_module.Link{Href: u.String(), Header: header}
} }
} }
if link == nil {
link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
}
rep.Actions["download"] = link
} }
if upload { if upload {
rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header} rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}