Fix reported vulnerability

Ability to use labels from arbitrary repositories. Reported by Miguel Ángel Jimeno.
2016-12-22 19:44:59 -05:00 · 2016-12-22 19:44:59 -05:00 · 6383bf7480
parent f471ef1bc7
commit 6383bf7480
4 changed files with 4 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra

 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)

-##### Current tip version: 0.9.109 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions ~~or submit a task on [alpha stage automated binary building system](https://build.gogs.io/)~~)
+##### Current tip version: 0.9.110 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions ~~or submit a task on [alpha stage automated binary building system](https://build.gogs.io/)~~)

 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|
--- a/gogs.go
+++ b/gogs.go
@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )

-const APP_VER = "0.9.109.1222"
+const APP_VER = "0.9.110.1222"

 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
--- a/routers/repo/issue.go
+++ b/routers/repo/issue.go
@ -721,7 +721,7 @@ func UpdateIssueLabel(ctx *context.Context) {
 		}
 	} else {
 		isAttach := ctx.Query("action") == "attach"
-		label, err := models.GetLabelByID(ctx.QueryInt64("id"))
+		label, err := models.GetLabelInRepoByID(ctx.Repo.Repository.ID, ctx.QueryInt64("id"))
 		if err != nil {
 			if models.IsErrLabelNotExist(err) {
 				ctx.Error(404, "GetLabelByID")
--- a/templates/.VERSION
+++ b/templates/.VERSION
@ -1 +1 @@
-0.9.109.1222
+0.9.110.1222