Moderate severityNVD Advisory· Published Jul 11, 2019· Updated Aug 5, 2024
CVE-2019-1010314
CVE-2019-1010314
Description
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | >= 1.7.2, < 1.7.4 | 1.7.4 |
Affected products
1Patches
1c7bbfd8f5eb0backport 6306 (#6308)
2 files changed · +53 −3
models/repo.go+5 −3 modified@@ -719,10 +719,12 @@ var ( // DescriptionHTML does special handles to description and return HTML string. func (repo *Repository) DescriptionHTML() template.HTML { - sanitize := func(s string) string { - return fmt.Sprintf(`<a href="%[1]s" target="_blank" rel="noopener noreferrer">%[1]s</a>`, s) + desc, err := markup.RenderDescriptionHTML([]byte(repo.Description), repo.HTMLURL(), repo.ComposeMetas()) + if err != nil { + log.Error(4, "Failed to render description for %s (ID: %d): %v", repo.Name, repo.ID, err) + return template.HTML(markup.Sanitize(repo.Description)) } - return template.HTML(descPattern.ReplaceAllStringFunc(markup.Sanitize(repo.Description), sanitize)) + return template.HTML(markup.Sanitize(string(desc))) } // LocalCopyPath returns the local repository copy path.
modules/markup/html.go+48 −0 modified@@ -234,6 +234,23 @@ func RenderCommitMessage( return ctx.postProcess(rawHTML) } +// RenderDescriptionHTML will use similar logic as PostProcess, but will +// use a single special linkProcessor. +func RenderDescriptionHTML( + rawHTML []byte, + urlPrefix string, + metas map[string]string, +) ([]byte, error) { + ctx := &postProcessCtx{ + metas: metas, + urlPrefix: urlPrefix, + procs: []processor{ + descriptionLinkProcessor, + }, + } + return ctx.postProcess(rawHTML) +} + var byteBodyTag = []byte("<body>") var byteBodyTagClosing = []byte("</body>") @@ -668,3 +685,34 @@ func genDefaultLinkProcessor(defaultLink string) processor { node.FirstChild, node.LastChild = ch, ch } } + +// descriptionLinkProcessor creates links for DescriptionHTML +func descriptionLinkProcessor(ctx *postProcessCtx, node *html.Node) { + m := linkRegex.FindStringIndex(node.Data) + if m == nil { + return + } + uri := node.Data[m[0]:m[1]] + replaceContent(node, m[0], m[1], createDescriptionLink(uri, uri)) +} + +func createDescriptionLink(href, content string) *html.Node { + textNode := &html.Node{ + Type: html.TextNode, + Data: content, + } + linkNode := &html.Node{ + FirstChild: textNode, + LastChild: textNode, + Type: html.ElementNode, + Data: "a", + DataAtom: atom.A, + Attr: []html.Attribute{ + {Key: "href", Val: href}, + {Key: "target", Val: "_blank"}, + {Key: "rel", Val: "noopener noreferrer"}, + }, + } + textNode.Parent = linkNode + return linkNode +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hqx2-j33x-9fc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1010314ghsaADVISORY
- github.com/go-gitea/gitea/commit/c7bbfd8f5eb097c6910e142415fcdf48fc3c9814ghsaWEB
- github.com/go-gitea/gitea/issues/8717ghsaWEB
- github.com/go-gitea/gitea/pull/6306ghsaWEB
- github.com/go-gitea/gitea/pull/6308ghsaWEB
- github.com/go-gitea/gitea/releases/tag/v1.7.4ghsaWEB
News mentions
0No linked articles in our index yet.