From 56d68932ac282ed5c087be7d54395442330588a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= <loic@dachary.org>
Date: Sun, 12 Nov 2023 18:24:56 +0100
Subject: [PATCH] [GITEA] fix POST
 /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead)
(cherry picked from commit bebc2441567b6ff6693c9737319e42ff5347f0ac)
(cherry picked from commit 2a8cb675cadd75c3a59c9bb96178345e40c7b9c1)
---
 routers/web/repo/issue_content_history.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/routers/web/repo/issue_content_history.go b/routers/web/repo/issue_content_history.go
index 473ab260f3..af7776c99e 100644
--- a/routers/web/repo/issue_content_history.go
+++ b/routers/web/repo/issue_content_history.go
@@ -198,11 +198,19 @@ func SoftDeleteContentHistory(ctx *context.Context) {
 			log.Error("can not get comment for issue content history %v. err=%v", historyID, err)
 			return
 		}
+		if comment.IssueID != issue.ID {
+			ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
+			return
+		}
 	}
 	if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
 		log.Error("can not get issue content history %v. err=%v", historyID, err)
 		return
 	}
+	if history.IssueID != issue.ID {
+		ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
+		return
+	}
 
 	canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history)
 	if !canSoftDelete {