github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-06 10:34:54 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

CORS on git smart http protocol can not work on main branch #7547

New Issue
Closed
opened 2025-11-02 07:29:25 -06:00 by GiteaMirror · 7 comments
GiteaMirror commented 2025-11-02 07:29:25 -06:00
Owner
Copy Link

Originally created by @snowyu on GitHub (Jul 6, 2021).

  • Gitea version (or commit ref): 27c1578235
  • Git version: 2.25.1
  • Operating system: 
    Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
  • Log gist:

Description

This feature #5719(#5700) can not work now.

The browser say:

Access to XMLHttpRequest at 'http://localhost:3000/name/repo.git/info/refs?service=git-upload-pack' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

And the response header has nothing CORS header return.

The server report:

Completed OPTIONS /name/repo.git/info/refs?service=git-upload-pack 405 Method Not Allowed in 780.91µs

I've found it was incorrectly rejected before entering httpBase.

27c1578235/routers/web/web.go (L150)

The context.Contexter() reject it.

Just add the following code before context.Contexter() to fix:

	common = append(common, CorsHandler) // added here
	// Removed: toolbox.Toolboxer middleware will provide debug informations which seems unnecessary
	common = append(common, context.Contexter())
Originally created by @snowyu on GitHub (Jul 6, 2021). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq) 5. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 27c15782352aabaf9279c9c187d3658649d81e2f - Git version: 2.25.1 - Operating system: ``` Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal ``` <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package --> <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. ---> <!-- If you are using a package or systemd tell us what distribution you are using --> - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [x] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - Log gist: <!-- It really is important to provide pertinent logs --> <!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems --> <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini --> ## Description This feature #5719(#5700) can not work now. The browser say: ``` Access to XMLHttpRequest at 'http://localhost:3000/name/repo.git/info/refs?service=git-upload-pack' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. ``` And the response header has nothing CORS header return. The server report: ``` Completed OPTIONS /name/repo.git/info/refs?service=git-upload-pack 405 Method Not Allowed in 780.91µs ``` I've found it was incorrectly rejected before entering httpBase. https://github.com/go-gitea/gitea/blob/27c15782352aabaf9279c9c187d3658649d81e2f/routers/web/web.go#L150 The `context.Contexter()` reject it. Just add the following code before `context.Contexter()` to fix: ```go common = append(common, CorsHandler) // added here // Removed: toolbox.Toolboxer middleware will provide debug informations which seems unnecessary common = append(common, context.Contexter()) ```
GiteaMirror added the type/bug label 2025-11-02 07:29:25 -06:00
GiteaMirror commented 2025-11-02 07:29:26 -06:00
Author
Owner
Copy Link

@snowyu commented on GitHub (Jul 6, 2021):

It seems that the new [cors] configuration section will replace the old ACCESS_CONTROL_ALLOW_ORIGIN config.

@snowyu commented on GitHub (Jul 6, 2021): It seems that the new `[cors]` configuration section will replace the old `ACCESS_CONTROL_ALLOW_ORIGIN` config.
GiteaMirror commented 2025-11-02 07:29:27 -06:00
Author
Owner
Copy Link

@noerw commented on GitHub (Jul 10, 2021):

So it works after you updated your config? In that case, please close this issue :)

Maybe related: #16100

@noerw commented on GitHub (Jul 10, 2021): So it works after you updated your config? In that case, please close this issue :) Maybe related: #16100
GiteaMirror commented 2025-11-02 07:29:27 -06:00
Author
Owner
Copy Link

@snowyu commented on GitHub (Jul 10, 2021):

No,It will only work after modifying the above code.

If you have read the source code, you will find the feature of cors is the same as the ACCESS_CONTROL_ALLOW_ORIGIN config.

So I think you can deprecate the old ACCESS_CONTROL_ALLOW_ORIGIN.

@snowyu commented on GitHub (Jul 10, 2021): No,It will only work after modifying the above code. If you have read the source code, you will find the feature of `cors` is the same as the ACCESS_CONTROL_ALLOW_ORIGIN config. So I think you can deprecate the old ACCESS_CONTROL_ALLOW_ORIGIN.
GiteaMirror commented 2025-11-02 07:29:27 -06:00
Author
Owner
Copy Link

@snowyu commented on GitHub (Jul 10, 2021):

Enh, Maybe My changes can fix the #16100.

@snowyu commented on GitHub (Jul 10, 2021): Enh, Maybe My changes can fix the #16100.
GiteaMirror commented 2025-11-02 07:29:27 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jul 18, 2021):

Could you send a PR to fix that? I'm thinking we may should use different cors settings for smart http, api and others.

@lunny commented on GitHub (Jul 18, 2021): Could you send a PR to fix that? I'm thinking we may should use different cors settings for smart http, api and others.
GiteaMirror commented 2025-11-02 07:29:27 -06:00
Author
Owner
Copy Link

@snowyu commented on GitHub (Jul 20, 2021):

Ok. I've added support for CORS on most repo operations. But I have no idea how to wtite an unit test.

@snowyu commented on GitHub (Jul 20, 2021): Ok. I've added support for CORS on most repo operations. But I have no idea how to wtite an unit test.
GiteaMirror commented 2025-11-02 07:29:28 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 20, 2021):

In order to provide a test it would be helpful if you could simply list the requests that lightning git would make over the smart protocol - then you would simply write a test that ensures that the appropriate headers are sent back.

Another option is to point to the smart git protocol documentation here.

@zeripath commented on GitHub (Jul 20, 2021): In order to provide a test it would be helpful if you could simply list the requests that lightning git would make over the smart protocol - then you would simply write a test that ensures that the appropriate headers are sent back. Another option is to point to the smart git protocol documentation here.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#7547
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?