From d3f93dae514b6bc38b5062461580029c3a7e9118 Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sat, 9 May 2026 23:59:31 +0200 Subject: [PATCH 1/6] avoid potential data race for err variable --- cmd/rest-server/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go index 12fd6b66..91946933 100644 --- a/cmd/rest-server/main.go +++ b/cmd/rest-server/main.go @@ -206,6 +206,7 @@ func (app *restServerApp) runRoot(_ *cobra.Command, _ []string) error { // run server in background go func() { + var err error if !enabledTLS { err = srv.Serve(listener) } else { From 7938d80db73cd84150e27078d9a0b0e6f0b97e64 Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sat, 9 May 2026 23:59:47 +0200 Subject: [PATCH 2/6] fix comment typos --- handlers.go | 2 +- repo/repo.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers.go b/handlers.go index 5938edd2..ba96b30a 100644 --- a/handlers.go +++ b/handlers.go @@ -51,7 +51,7 @@ func httpDefaultError(w http.ResponseWriter, code int) { http.Error(w, http.StatusText(code), code) } -// ServeHTTP makes this server an http.Handler. It handlers the administrative +// ServeHTTP makes this server an http.Handler. It handles the administrative // part of the request (figuring out the filesystem location, performing // authentication, etc) and then passes it on to repo.Handler for actual // REST API processing. diff --git a/repo/repo.go b/repo/repo.go index 0e38bb6a..2da4d9c2 100644 --- a/repo/repo.go +++ b/repo/repo.go @@ -807,7 +807,7 @@ func (h *Handler) internalServerError(w http.ResponseWriter, err error) { httpDefaultError(w, http.StatusInternalServerError) } -// internalServerError is called to report an error that occurred while +// fileAccessError is called to report an error that occurred while // accessing a file. If the does not exist, the corresponding http status code // will be returned to the client. All other errors are passed on to // internalServerError From 23752ccca47d7b6896f61263ec881194c7bf965a Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sun, 10 May 2026 00:00:43 +0200 Subject: [PATCH 3/6] correct htpasswd cache expiry was 0-5 seconds instead of the intended one minute. --- htpasswd.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htpasswd.go b/htpasswd.go index ad67a1e3..46a8c72a 100644 --- a/htpasswd.go +++ b/htpasswd.go @@ -123,7 +123,7 @@ func (h *HtpasswdFile) expiryTimer() { var zeros [sha256.Size]byte // try to wipe expired cache entries for user, entry := range h.cache { - if entry.expiry.After(now) { + if now.After(entry.expiry) { copy(entry.verifier, zeros[:]) delete(h.cache, user) } From 27d0d440f753b34387489846724b824b88e61b8f Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sun, 10 May 2026 00:01:21 +0200 Subject: [PATCH 4/6] return 400 bad request if content-length is invalid --- quota/quota.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quota/quota.go b/quota/quota.go index 8437f651..ee243c6f 100644 --- a/quota/quota.go +++ b/quota/quota.go @@ -70,7 +70,7 @@ func (m *Manager) WrapWriter(req *http.Request, w io.Writer) (io.Writer, int, er if contentLenStr := req.Header.Get("Content-Length"); contentLenStr != "" { contentLen, err := strconv.ParseInt(contentLenStr, 10, 64) if err != nil { - return nil, http.StatusLengthRequired, err + return nil, http.StatusBadRequest, err } if currentSize+contentLen > m.maxRepoSize { err := fmt.Errorf("incoming blob (%d bytes) would exceed maximum size of repository (%d bytes)", From d5f351c64e4b0c3ea3ae54d22cd268a16145572a Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sun, 10 May 2026 00:01:57 +0200 Subject: [PATCH 5/6] don't panic if saveConfig fails to open file --- repo/repo.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/repo/repo.go b/repo/repo.go index 2da4d9c2..137e02d0 100644 --- a/repo/repo.go +++ b/repo/repo.go @@ -305,11 +305,15 @@ func (h *Handler) saveConfig(w http.ResponseWriter, r *http.Request) { cfg := h.getSubPath("config") f, err := os.OpenFile(cfg, os.O_CREATE|os.O_WRONLY|os.O_EXCL, h.opt.fileMode) - if err != nil && os.IsExist(err) { + if err != nil { if h.opt.Debug { log.Print(err) } - httpDefaultError(w, http.StatusForbidden) + if os.IsExist(err) { + httpDefaultError(w, http.StatusForbidden) + } else { + h.internalServerError(w, err) + } return } From 6b31096865daa42a79f45bf709ab41205ee6e190 Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sun, 10 May 2026 00:03:48 +0200 Subject: [PATCH 6/6] avoid log spam if user password is invalid --- htpasswd.go | 1 - 1 file changed, 1 deletion(-) diff --git a/htpasswd.go b/htpasswd.go index 46a8c72a..430c991f 100644 --- a/htpasswd.go +++ b/htpasswd.go @@ -251,7 +251,6 @@ func (h *HtpasswdFile) Validate(user string, password string) bool { isValid := isMatchingHashAndPassword(hashedPassword, password) if !isValid { - log.Printf("Invalid htpasswd entry for %s.", user) return false }