models/release: filter input to prevent command line argument vulnerability

README.md

@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current version: 0.9.23
+##### Current version: 0.9.24
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|

conf/locale/TRANSLATORS

@@ -23,6 +23,7 @@ Dmitriy Nogay <me AT catwhocode DOT ga>
 Enrico Testori hypertesto AT gmail DOT com
 Ezequiel Gonzalez Rial <gonrial AT gmail DOT com>
 Gregor Santner <gdev AT live DOT de>
+Halil Kaya <halil AT halilkaya DOT net>
 Hamid Feizabadi <hamidfzm AT gmail DOT com>
 Huimin Wang <wanghm2009 AT hotmail DOT co DOT jp>
 ilko <kontact-mr.k AT outlook DOT com">

gogs.go

@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.9.23.0426"
+const APP_VER = "0.9.25.0506"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())

models/issue.go

@@ -546,9 +546,9 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
 		sess.Desc("created_unix")
 	}
 
-	if opts.Labels != "0" {
+	if len(opts.Labels) > 0 && opts.Labels != "0" {
 		labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
-		if opts.Labels != "" && len(labelIDs) > 0 {
+		if len(labelIDs) > 0 {
 			sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("label_id", labelIDs)
 		}
 	}
@@ -785,9 +785,9 @@ func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
 	countSession := func(opts *IssueStatsOptions) *xorm.Session {
 		sess := x.Where("issue.repo_id = ?", opts.RepoID).And("is_pull = ?", opts.IsPull)
 
-		if opts.Labels != "0" {
+		if len(opts.Labels) > 0 && opts.Labels != "0" {
 			labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
-			if opts.Labels != "" && len(labelIDs) > 0 {
+			if len(labelIDs) > 0 {
 				sess.Join("INNER", "issue_label", "issue.id = issue_id").In("label_id", labelIDs)
 			}
 		}

models/release.go

@@ -67,6 +67,8 @@ func createTag(gitRepo *git.Repository, rel *Release) error {
 				return fmt.Errorf("GetBranchCommit: %v", err)
 			}
 
+			// Trim '--' prefix to prevent command line argument vulnerability
+			rel.TagName = strings.TrimPrefix(rel.TagName, "--")
 			if err = gitRepo.CreateTag(rel.TagName, commit.ID.String()); err != nil {
 				return err
 			}

public/config.codekit

@@ -431,126 +431,6 @@
 		"strictImports": 0,
 		"strictMath": 0,
 		"strictUnits": 0
-		},
-	"\/plugins\/dropzone-4.2.0\/dropzone.css": {
-		"fileType": 16,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/dropzone-4.2.0\/dropzone.css",
-		"outputAbbreviatedPath": "No Output Path",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0
-		},
-	"\/plugins\/dropzone-4.2.0\/dropzone.js": {
-		"fileType": 64,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/dropzone-4.2.0\/dropzone.js",
-		"outputAbbreviatedPath": "\/plugins\/dropzone-4.2.0\/min\/dropzone-min.js",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0,
-		"outputStyle": 1,
-		"syntaxCheckerStyle": 1
-		},
-	"\/plugins\/highlight-9.2.0\/default.css": {
-		"fileType": 16,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/default.css",
-		"outputAbbreviatedPath": "No Output Path",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0
-		},
-	"\/plugins\/highlight-9.2.0\/github.css": {
-		"fileType": 16,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/github.css",
-		"outputAbbreviatedPath": "No Output Path",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0
-		},
-	"\/plugins\/highlight-9.2.0\/highlight.pack.js": {
-		"fileType": 64,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/highlight.pack.js",
-		"outputAbbreviatedPath": "\/plugins\/highlight-9.2.0\/min\/highlight.pack-min.js",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0,
-		"outputStyle": 1,
-		"syntaxCheckerStyle": 1
-		},
-	"\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.css": {
-		"fileType": 16,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.css",
-		"outputAbbreviatedPath": "No Output Path",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0
-		},
-	"\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.js": {
-		"fileType": 64,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/jquery.datetimepicker-2.4.5\/jquery.datetimepicker.js",
-		"outputAbbreviatedPath": "\/plugins\/jquery.datetimepicker-2.4.5\/min\/jquery.datetimepicker-min.js",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0,
-		"outputStyle": 1,
-		"syntaxCheckerStyle": 1
-		},
-	"\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.css": {
-		"fileType": 16,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.css",
-		"outputAbbreviatedPath": "No Output Path",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0
-		},
-	"\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.min.js": {
-		"fileType": 64,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.min.js",
-		"outputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/min\/jquery.minicolors.min-min.js",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0,
-		"outputStyle": 1,
-		"syntaxCheckerStyle": 1
-		},
-	"\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.png": {
-		"fileType": 32768,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"initialSize": 68627,
-		"inputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.png",
-		"outputAbbreviatedPath": "\/plugins\/jquery.minicolors-2.2.3\/jquery.minicolors.png",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0,
-		"processed": 0
-		},
-	"\/plugins\/simplemde-1.10.1\/simplemde.min.css": {
-		"fileType": 16,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/simplemde-1.10.1\/simplemde.min.css",
-		"outputAbbreviatedPath": "No Output Path",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0
-		},
-	"\/plugins\/simplemde-1.10.1\/simplemde.min.js": {
-		"fileType": 64,
-		"ignore": 0,
-		"ignoreWasSetByUser": 0,
-		"inputAbbreviatedPath": "\/plugins\/simplemde-1.10.1\/simplemde.min.js",
-		"outputAbbreviatedPath": "\/plugins\/simplemde-1.10.1\/min\/simplemde.min-min.js",
-		"outputPathIsOutsideProject": 0,
-		"outputPathIsSetByUser": 0,
-		"outputStyle": 1,
-		"syntaxCheckerStyle": 1
 		}
 	},
 "hooks": [
@@ -1162,7 +1042,7 @@
 	"sassUseLibsass": 0,
 	"shouldRunAutoprefixer": 0,
 	"shouldRunBless": 0,
-	"skippedItemsString": "node_modules, _logs, .hg, _cache, log, logs, cache, \/assets, \/js\/libs, .git, .svn, \/img\/emoji",
+	"skippedItemsString": "node_modules, _logs, .hg, \/plugins, _cache, log, logs, cache, \/assets, \/js\/libs, .git, .svn, \/img\/emoji",
 	"slimAutoOutputPathEnabled": 1,
 	"slimAutoOutputPathFilenamePattern": "*.html",
 	"slimAutoOutputPathRelativePath": "",

templates/.VERSION

@@ -1 +1 @@
-0.9.23.0426
+0.9.25.0506