 013fb73068
			
		
	
	
		013fb73068
		
			
		
	
	
	
	
		
			
			Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
		
			
				
	
	
		
			30 lines
		
	
	
	
		
			869 B
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			30 lines
		
	
	
	
		
			869 B
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2021 The Gitea Authors. All rights reserved.
 | |
| // Use of this source code is governed by a MIT-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package migrations
 | |
| 
 | |
| import (
 | |
| 	"crypto/tls"
 | |
| 	"net/http"
 | |
| 
 | |
| 	"code.gitea.io/gitea/modules/hostmatcher"
 | |
| 	"code.gitea.io/gitea/modules/proxy"
 | |
| 	"code.gitea.io/gitea/modules/setting"
 | |
| )
 | |
| 
 | |
| // NewMigrationHTTPClient returns a HTTP client for migration
 | |
| func NewMigrationHTTPClient() *http.Client {
 | |
| 	return &http.Client{
 | |
| 		Transport: NewMigrationHTTPTransport(),
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // NewMigrationHTTPTransport returns a HTTP transport for migration
 | |
| func NewMigrationHTTPTransport() *http.Transport {
 | |
| 	return &http.Transport{
 | |
| 		TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify},
 | |
| 		Proxy:           proxy.Proxy(),
 | |
| 		DialContext:     hostmatcher.NewDialContext("migration", allowList, blockList),
 | |
| 	}
 | |
| }
 |