| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
|
|
My dmesg is filled with the oom killer bringing down processes while the
Bingbot downloads every snapshot for every commit of the Linux kernel in
tar.xz format. Sure, I should be running with memory limits, and now I'm
using cgroups, but a more general solution is to prevent crawlers from
wasting resources like that in the first place.
Suggested-by: Natanael Copa <ncopa@alpinelinux.org>
Suggested-by: Julius Plenz <plenz@cis.fu-berlin.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Features:
- update to git v1.8.3.
- expanded set of default filters to include markdown, restructuredtext, and
man pages.
- better sample configuration file in man page.
- "readme" may now be specified multiple times, and cgit will choose the first
one it finds.
- "readme" no longer needs a branch name. If prefixed with simply ":" it will
use the default branch.
- "branch-sort" allowing branches to be sorted either by "age" or "name", for
kernel.org.
- "enable-index-owner" allowing the owner column to be disabled in the index
page.
- print submodule revision next to submodule link.
- integrate more closely with git apis, such as strbuf.
- rely on git test harness and git makefiles.
- more robust test suite.
- more rebust makefile dependency accounting.
- pager navigation is now unordered list.
- span tag wraps commit directions.
Behavior changes:
- HOME is no longer passed as an environment variable to any filter api
scripts.
- "about-filter" now receives the filename being filtered as argv[1]. This may
disrupt existing scripts, so adjust accordingly.
- gitconfig and gitattributes are no longer loaded from any system directories
or home directories.
Security:
- CVE-2013-2117: disallow directory traversal when readme is set to filesystem
path.
Bug fixes:
- ssdiff now correctly manages tab expansion.
- support unannotated tags in http git clone.
- lots of cleanups of global variables and memory leaks.
- do not rely on gettext/libintl.
- better C standard compliance.
- make several functions and variables static.
- improved constification.
- remove unused functions.
- fix colspan values to correct width.
- fix out-of-bounds memory accesses with virtual_root="".
- cache repo config more precisely.
- die when write fails.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now this is possible in cgitrc -
readme=:README.md
readme=:readme.md
readme=:README.mkd
readme=:readme.mkd
readme=:README.rst
readme=:readme.rst
readme=:README.html
readme=:readme.html
readme=:README.htm
readme=:readme.htm
readme=:README.txt
readme=:readme.txt
readme=:README
readme=:readme
readme=:INSTALL.txt
readme=:install.txt
readme=:INSTALL
readme=:install
Suggested-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the url= query string, it was possible request arbitrary files
from the filesystem if the readme for a given page was set to a
filesystem file. The following request would return my /etc/passwd file:
http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
http://data.zx2c4.com/cgit-directory-traversal.png
This fix uses realpath(3) to canonicalize all paths, and then compares
the base components.
This fix introduces a subtle timing attack, whereby a client can check
whether or not strstr is called using timing measurements in order
to determine if a given file exists on the filesystem.
This fix also does not account for filesystem race conditions (TOCTOU)
in resolving symlinks.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The readme variable may now contain multiple space deliminated entries,
which per usual are either a filepath or a git ref filepath. If multiple
are specified, cgit will now select the first one in the list that
exists. This is to make it easier to specify multiple default readme
types in the main cgitrc file and have them automatically get applied to
each repo based on what exists.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
This gives the about-filter API the same semantics as source-filter,
where the filter receives the filename so it can decide what to do next
with it.
While we're at it, plug a memory leak.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
If the readme value begins with ":", and has no specified branch before
it, use the repository's default branch.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
The number of odd cases in which git will try to read config is far too
great to keep putting a bandaid over each one, so we'll just unset it.
If it turns out that scripts really liked to know about $HOME, we can
always reset it in the filter forks.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
We've now added quite a few config keys for repositories, but we've
forgotten to update the printing of it for cache files. Synchronize the
two.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| | |
|
|
|
It's a bit tedious to have to do this here too. If we encounter other
issues with $HOME down the line, I'll look into adding some nice utility
functions to handle this, or perhaps giving up on the hope that we could
keep $HOME defined for scripts.
This commit additionally adds a test case, should the issue surface
again.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
Several options must be specified prior to scan-path. This is consistant
source of user confusion. Document these facts.
Suggested-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
When set to "name", branches are sorted by name, which is the current
default. When set to "age", branches are sorted by the age of the
repository.
This feature was requested by Konstantin Ryabitsev for use on
kernel.org.
Proposed-by: Konstantin Ryabitsev <mricon@kernel.org>
|
|
|
With the latest changes to prevent git from accessing configuration
files that it should not, it's important to be sure that we won't
have further breakage in the future.
Use strace to implement a test to make sure cgit does not access()
anything built from $HOME.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
While doing any kind of git loading, unset HOME variables and set
NOSYSTEM variables so that cgit does not load any settings that a user
may have set for his own /usr/bin/git usage.
This fixes a fatal error introduced with git 1.8, whereupon git would
fatally exit when failing to access particular files.
The result of this is that only repo-local configuration files are
accessed:
zx2c4@thinkpad ~/Projects/cgit $ HOME=/root QUERY_STRING="url=foo/log"
CGIT_CONFIG=tests/trash/cgitrc strace -e access ./cgit >/dev/null
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
access("repos/foo/.git/objects", X_OK) = 0
access("repos/foo/.git/refs", X_OK) = 0
access("repos/foo/.git/config", R_OK) = 0
access("repos/foo/.git/config", R_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
+++ exited with 0 +++
Reported-by: Ferry Huberts <ferry.huberts@pelagic.nl>
Tested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Tested-by: Ferry Huberts <ferry.huberts@pelagic.nl>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
| |
|
|
|
|
|
| |
This squelches a gcc warning. It's also correct that we check to see if
there are any partial or failed writes. For now, we just print a warning
to stderr. In the future, perhaps it will prove wise to exit(1) on
partial writes.
|
|
|
Since tail is initialized to 0, we will never get a warning on the last
if statement, but recent gcc complains anyway. So, we initialize len as
well. Future gcc versions should be able to optimize this out anyway.
|
| |
|
| |
|
|
|
|
|
|
|
| |
parse_archive_args does not pass PARSE_OPT_KEEP_ARGV0 to parse_args,
which means the first argument will be discarded, as though it were a
function being called from the command-line. Thus, we fill argv[0] with
a dummy argument to prevent this from happening.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
Matthew McClintock reported that older unannotated tags were not
correctly being cloned and did not appear in info/refs. Further
investigation revealed some dubious prefix comparison code for
determining whether or not to write refs in info/refs. After comparing
it with git's own http-backend.c, it appears upstream does not use this
prefix logic.
OTOH, I don't know what the reasoning was when the prefix logic was
introduced. It appears to me to just be buggy, though it's possible
there are other reasons, and we'll have to revisit this commit.
But for now, Works For Me.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Matthew McClintock <msm@freescale.com>
Reported-by: Matthew McClintock <msm@freescale.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enhancements:
- path-selected submodule links
- intelligent default branch guessing
- /etc/mime.types lookup
- gitweb.* and cgit.* git-config support
- case insensitive sorting and age sorting
- commit, repository, and section sorting
- bold currently viewed page in pagination
- support BSDs in makefile
Security:
- CVE-2012-4465: heap-buffer overflow in parsing.c
- CVE-2012-4548: syntax highlighting command injection
Bug Fixes:
- transition maintainer to Jason Donenfeld (zx2c4)
- download git snapshot from github instead of Lars' old server
- css fixes
- stablization of tests
- more compatible default highlight script
- suppress gzip timestamp so that tarballs only use tar timestamps
- treat ctags as target in makefile
- do not let global variables override certain local repo settings
- print ampersand as proper html entity
- use placeholder for empty commit subject
- format diff view for addition and removal of files
- point links at correct blob from ssdiff
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
| |
|
|
|
|
|
|
|
| |
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.
This patch adds simple argument quoting.
|
| | |
|
| | |
|
| |
|
|
|
| |
According to Dan Rue <drue@therub.org>, FreeBSD requires the lib paths
to get libiconv from /usr/local.
|
|
|
Since we're now properly writing ampersand literals as & instead of
as a plain &, we need to update the test accordingly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
After some back and forth with Jamie and René, it looks like the git
config semantics are going to be like this:
- gitweb.category maps to the cgit repo config key "section"
- gitweb.description maps to the cgit repo config key "desc"
- gitweb.owner maps to the cgit repo config key "owner"
- cgit.* maps to all cgit repo config keys
This option can be enabled with "enable-git-config=1", and replaces
all previous "enable-gitweb-*" config keys.
The order of operations is as follows:
- git config settings are applied in the order that they exist in
the git config file
- if the owner is not set from git config, get the owner using the
usual getpwuid call
- if the description is not set from git config, look inside the
static $path/description file
- if section-from-path=1, override whatever previous settings were
inside of git config using the section-from-path logic
- parse $path/cgitrc for local repo.* settings, that override all
previous settings
|
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Since cgit snapshots of tags are often used for releases, we don't
want the rarely used feature of the gzip compressor that includes
an embedded timestamp into the archive, since this makes each tarball
of the same (potentially signed) tag different.
This commit refactors the archive handling code a bit so that each
different format is able to run with an arbitrary argv for the filter.
|
| | |
|
| |
|
|
|
|
| |
Add two options, one for doing the ordinary name sorts in a
case-insensitive manner, and another for choosing to sort repos in each
section by age instead of by name.
|
| |
|
|
|
| |
Use gitweb.category from git config to determine repo's section, if
option is enabled.
|
|
|
Use gitweb.description instead of description file to determine
description, if option is enabled.
|
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
When this option is enabled (which it is by default), cgit will lookup
the 'gitweb.owner' setting in each git config file found when processing
the 'scan-path' option.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
| |
|
|
|
|
|
|
| |
When this option is enabled, the '.git' suffix of repository directories
found while processing the 'scan-path' option will be removed.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
|
This option specifies the location of a projectlist file as used by
gitweb - when 'scan-tree' is later specified, only the projects listed in
the projectlist file will be added.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
