3 周之前 · 094b632182
--- a/.claude/commands/ghsa.md
+++ b/.claude/commands/ghsa.md
@@ -7,5 +7,7 @@ Steps:
 
															 4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
														
 
															 5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
														
 
															 6. Run all the usual build and test commands.
														
 
															-7. Create a branch named after the GHSA ID, commit, and push.
														
 
															-8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
														
 
															+7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link.
														
 
															+8. Create a branch named after the GHSA ID, commit, and push.
														
 
															+9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
														
 
															+10. If a changelog entry was added, update it with the PR link, then commit and push again.
														
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ All notable changes to Gogs are documented in this file.
 
															 ### Removed
														
 
															+- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc)
														
 
															+
														
 
															 - Git clone via the built-in SSH server hangs. [#8132](https://github.com/gogs/gogs/issues/8132)
														
 
															 ## 0.14.0
														
--- a/internal/context/auth.go
+++ b/internal/context/auth.go
@@ -146,18 +146,12 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store
 
															 	// Check access token.
														
 
															 	if isAPIPath(c.Req.URL.Path) {
														
 
															-		tokenSHA := c.Query("token")
														
 
															-		if len(tokenSHA) <= 0 {
														
 
															-			tokenSHA = c.Query("access_token")
														
 
															-		}
														
 
															-		if tokenSHA == "" {
														
 
															-			// Well, check with header again.
														
 
															-			auHead := c.Req.Header.Get("Authorization")
														
 
															-			if len(auHead) > 0 {
														
 
															-				auths := strings.Fields(auHead)
														
 
															-				if len(auths) == 2 && auths[0] == "token" {
														
 
															-					tokenSHA = auths[1]
														
 
															-				}
														
 
															+		var tokenSHA string
														
 
															+		auHead := c.Req.Header.Get("Authorization")
														
 
															+		if auHead != "" {
														
 
															+			auths := strings.Fields(auHead)
														
 
															+			if len(auths) == 2 && auths[0] == "token" {
														
 
															+				tokenSHA = auths[1]
														
 
															 			}
														
 
															 		}