mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-15 20:25:18 +02:00
0eba0e371f
**Unvalidated version in goproxy ParsePackage** The module version is read straight from the zip directory path and never checked, so a crafted upload can leave a newline in it; `EnumeratePackageVersions` then writes each stored version on its own line for the `@v/list` endpoint, letting a module advertise fabricated versions to `go` clients. Validated the parsed version with `semver.IsValid` inside the parser, matching the version checks the other package parsers already do. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>