From 5d932b35ca4ef56525b815961d7f4f48a5119875 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Wed, 11 Nov 2020 20:34:16 +0000
Subject: [PATCH] Disallow urlencoded new lines in git protocol paths if there
 is a port (#13521)

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/auth/repo_form.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
index 039b0cb583..f27812bb1b 100644
--- a/modules/auth/repo_form.go
+++ b/modules/auth/repo_form.go
@@ -102,6 +102,9 @@ func ParseRemoteAddr(remoteAddr, authUsername, authPassword string, user *models
 			u.User = url.UserPassword(authUsername, authPassword)
 		}
 		remoteAddr = u.String()
+		if u.Scheme == "git" && u.Port() != "" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+			return "", models.ErrInvalidCloneAddr{IsURLError: true}
+		}
 	} else if !user.CanImportLocal() {
 		return "", models.ErrInvalidCloneAddr{IsPermissionDenied: true}
 	} else if !com.IsDir(remoteAddr) {