From 6b7ce726c21f9bc666e55a6eeccd9244010419c2 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Mon, 24 Oct 2022 05:18:31 +0200 Subject: [PATCH] Prevent Authorization header for presigned LFS urls (#21531) (#21569) Backport of #21531 Co-authored-by: Lunny Xiao --- services/lfs/server.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/services/lfs/server.go b/services/lfs/server.go index b868db39dbec..830112fac6e3 100644 --- a/services/lfs/server.go +++ b/services/lfs/server.go @@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa } if download { - rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header} + var link *lfs_module.Link if setting.LFS.ServeDirect { // If we have a signed url (S3, object storage), redirect to this directly. u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid) if u != nil && err == nil { - rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header} + // Presigned url does not need the Authorization header + // https://github.com/go-gitea/gitea/issues/21525 + delete(header, "Authorization") + link = &lfs_module.Link{Href: u.String(), Header: header} } } + if link == nil { + link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header} + } + rep.Actions["download"] = link } if upload { rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}