Unconstrained private code access via wget
chenghuzi opened this issue · 0 comments
chenghuzi commented
Gogs version
0.14.0+dev
Git version
- Server: 2.38.5
- Client: Not applicable
Operating system
Debian GNU/Linux 11
Database
SQLite 3
Describe the bug
I have a private, unlisted repo hosted on Gogs. I attempted to download a notebook file from my repo. Upon obtaining the raw file URL, I tried to download it using wget. Surprisingly, I was able to download it without any problem, even though there was no authentication in my request. My request was as simple as wget file_raw_url. Note that this bug only appears when downloading private items via the command-line wget; it works as expected with a browser.
To reproduce
- Create a private repo
- store some files there
- get the raw file URL for any private file in that repo
- run
wget -c FILE_URL
to download that file with any machine.
Expected behavior
The Gogs server should return some error signal for those unauthenticated requests.
Additional context
No response
Code of Conduct
- I agree to follow this project's Code of Conduct