From e61b9c86a3b7319bd698b5c0a8d145cabfa80e52 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jul 18 2018 13:59:16 +0000
Subject: Couple of fixes for private repos


- Ensure we do not expose private git repo via https. (CVE-2018-1002153)
- Ensure we do not log activity on private projects.

Fixes https://pagure.io/pagure/issue/3302

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/lib/__init__.py b/pagure/lib/__init__.py
index a47a513..428bf81 100644
--- a/pagure/lib/__init__.py
+++ b/pagure/lib/__init__.py
@@ -4614,8 +4614,12 @@ def log_action(session, action, obj, user_obj):
     project_id = None
     if obj.isa in ['issue', 'pull-request']:
         project_id = obj.project_id
+        if obj.project.private:
+            return
     elif obj.isa == 'project':
         project_id = obj.id
+        if obj.private:
+            return
     else:
         raise pagure.exceptions.InvalidObjectException(
             'Unsupported object found: "%s"' % obj
diff --git a/pagure/lib/tasks.py b/pagure/lib/tasks.py
index 47eaf6c..583f0ca 100644
--- a/pagure/lib/tasks.py
+++ b/pagure/lib/tasks.py
@@ -324,11 +324,12 @@ def create_project(self, session, username, namespace, name, add_readme,
 
             shutil.rmtree(temp_gitrepo_path)
 
-        # Make the repo exportable via apache
-        http_clone_file = os.path.join(gitrepo, 'git-daemon-export-ok')
-        if not os.path.exists(http_clone_file):
-            with open(http_clone_file, 'w') as stream:
-                pass
+        if not project.private:
+            # Make the repo exportable via apache
+            http_clone_file = os.path.join(gitrepo, 'git-daemon-export-ok')
+            if not os.path.exists(http_clone_file):
+                with open(http_clone_file, 'w') as stream:
+                    pass
 
         docrepo = None
         if pagure_config.get('DOCS_FOLDER'):