routers/repo/http: only prompt HTTP Basic Authentication when intended

Sometimes user could simply request wrong URL, but if that wrong URL
has nothing related Git HTTP operations, HTTP Basic Authentication
should not prompted. Instead, clean 404 page should be presented.

The patch also supports Git HTTP operations without '.git' suffix
to the repository name, which addresses #4226 and #4189.

cmd/web.go

@@ -623,11 +623,14 @@ func runWeb(ctx *cli.Context) error {
 		m.Group("/:reponame", func() {
 			m.Head("/tasks/trigger", repo.TriggerTask)
 		})
-		// Use the regexp to match the repository name validation
+		// Use the regexp to match the repository name
+		// Duplicated routes to enable different ways of accessing same set of URLs,
+		// e.g. with or without ".git" suffix.
 		m.Group("/:reponame([\\d\\w-_\\.]+\\.git$)", func() {
 			m.Get("", ignSignIn, context.RepoAssignment(true), context.RepoRef(), repo.Home)
 			m.Route("/*", "GET,POST", ignSignInAndCsrf, repo.HTTPContexter(), repo.HTTP)
 		})
+		m.Route("/:reponame/*", "GET,POST", ignSignInAndCsrf, repo.HTTPContexter(), repo.HTTP)
 	})
 	// ***** END: Repository *****
 

gogs.go

@@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.10.4.0303"
+const APP_VER = "0.10.5.0304"
 
 func init() {
 	setting.AppVer = APP_VER

routers/repo/http.go

@@ -76,6 +76,16 @@ func HTTPContexter() macaron.Handler {
 			return
 		}
 
+		// In case user requested a wrong URL and not intended to access Git objects.
+		action := ctx.Params("*")
+		if !strings.Contains(action, "git-") &&
+			!strings.Contains(action, "info/") &&
+			!strings.Contains(action, "HEAD") &&
+			!strings.Contains(action, "objects/") {
+			ctx.NotFound()
+			return
+		}
+
 		// Handle HTTP Basic Authentication
 		authHead := ctx.Req.Header.Get("Authorization")
 		if len(authHead) == 0 {

templates/.VERSION

@@ -1 +1 @@
-0.10.4.0303
+0.10.5.0304