ui-plain: add enable-html-serving flag
Unrestricts plain/ to contents likely to be executed by browser.
This commit is contained in:
Jason A. Donenfeld
джерело
9ca2566972
коміт
c326f3eb02
5
cgit.c
5
cgit.c
|
|
@ -55,6 +55,8 @@ static void repo_config(struct cgit_repo *repo, const char *name, const char *va
|
||||||
repo->enable_remote_branches = atoi(value);
|
repo->enable_remote_branches = atoi(value);
|
||||||
else if (!strcmp(name, "enable-subject-links"))
|
else if (!strcmp(name, "enable-subject-links"))
|
||||||
repo->enable_subject_links = atoi(value);
|
repo->enable_subject_links = atoi(value);
|
||||||
|
else if (!strcmp(name, "enable-html-serving"))
|
||||||
|
repo->enable_html_serving = atoi(value);
|
||||||
else if (!strcmp(name, "branch-sort")) {
|
else if (!strcmp(name, "branch-sort")) {
|
||||||
if (!strcmp(value, "age"))
|
if (!strcmp(value, "age"))
|
||||||
repo->branch_sort = 1;
|
repo->branch_sort = 1;
|
||||||
|
|
@ -170,6 +172,8 @@ static void config_cb(const char *name, const char *value)
|
||||||
ctx.cfg.enable_remote_branches = atoi(value);
|
ctx.cfg.enable_remote_branches = atoi(value);
|
||||||
else if (!strcmp(name, "enable-subject-links"))
|
else if (!strcmp(name, "enable-subject-links"))
|
||||||
ctx.cfg.enable_subject_links = atoi(value);
|
ctx.cfg.enable_subject_links = atoi(value);
|
||||||
|
else if (!strcmp(name, "enable-html-serving"))
|
||||||
|
ctx.cfg.enable_html_serving = atoi(value);
|
||||||
else if (!strcmp(name, "enable-tree-linenumbers"))
|
else if (!strcmp(name, "enable-tree-linenumbers"))
|
||||||
ctx.cfg.enable_tree_linenumbers = atoi(value);
|
ctx.cfg.enable_tree_linenumbers = atoi(value);
|
||||||
else if (!strcmp(name, "enable-git-config"))
|
else if (!strcmp(name, "enable-git-config"))
|
||||||
|
|
@ -821,6 +825,7 @@ static void print_repo(FILE *f, struct cgit_repo *repo)
|
||||||
fprintf(f, "repo.logo-link=%s\n", repo->logo_link);
|
fprintf(f, "repo.logo-link=%s\n", repo->logo_link);
|
||||||
fprintf(f, "repo.enable-remote-branches=%d\n", repo->enable_remote_branches);
|
fprintf(f, "repo.enable-remote-branches=%d\n", repo->enable_remote_branches);
|
||||||
fprintf(f, "repo.enable-subject-links=%d\n", repo->enable_subject_links);
|
fprintf(f, "repo.enable-subject-links=%d\n", repo->enable_subject_links);
|
||||||
|
fprintf(f, "repo.enable-html-serving=%d\n", repo->enable_html_serving);
|
||||||
if (repo->branch_sort == 1)
|
if (repo->branch_sort == 1)
|
||||||
fprintf(f, "repo.branch-sort=age\n");
|
fprintf(f, "repo.branch-sort=age\n");
|
||||||
if (repo->commit_sort) {
|
if (repo->commit_sort) {
|
||||||
|
|
|
||||||
2
cgit.h
2
cgit.h
|
|
@ -101,6 +101,7 @@ struct cgit_repo {
|
||||||
int enable_log_linecount;
|
int enable_log_linecount;
|
||||||
int enable_remote_branches;
|
int enable_remote_branches;
|
||||||
int enable_subject_links;
|
int enable_subject_links;
|
||||||
|
int enable_html_serving;
|
||||||
int max_stats;
|
int max_stats;
|
||||||
int branch_sort;
|
int branch_sort;
|
||||||
int commit_sort;
|
int commit_sort;
|
||||||
|
|
@ -235,6 +236,7 @@ struct cgit_config {
|
||||||
int enable_log_linecount;
|
int enable_log_linecount;
|
||||||
int enable_remote_branches;
|
int enable_remote_branches;
|
||||||
int enable_subject_links;
|
int enable_subject_links;
|
||||||
|
int enable_html_serving;
|
||||||
int enable_tree_linenumbers;
|
int enable_tree_linenumbers;
|
||||||
int enable_git_config;
|
int enable_git_config;
|
||||||
int local_time;
|
int local_time;
|
||||||
|
|
|
||||||
11
cgitrc.5.txt
11
cgitrc.5.txt
|
|
@ -190,6 +190,13 @@ enable-subject-links::
|
||||||
in commit view. Default value: "0". See also:
|
in commit view. Default value: "0". See also:
|
||||||
"repo.enable-subject-links".
|
"repo.enable-subject-links".
|
||||||
|
|
||||||
|
enable-html-serving::
|
||||||
|
Flag which, when set to "1", will allow the /plain handler to serve
|
||||||
|
mimetype headers that result in the file being treated as HTML by the
|
||||||
|
browser. When set to "0", such file types are returned instead as
|
||||||
|
text/plain or application/octet-stream. Default value: "0". See also:
|
||||||
|
"repo.enable-html-serving".
|
||||||
|
|
||||||
enable-tree-linenumbers::
|
enable-tree-linenumbers::
|
||||||
Flag which, when set to "1", will make cgit generate linenumber links
|
Flag which, when set to "1", will make cgit generate linenumber links
|
||||||
for plaintext blobs printed in the tree view. Default value: "1".
|
for plaintext blobs printed in the tree view. Default value: "1".
|
||||||
|
|
@ -513,6 +520,10 @@ repo.enable-subject-links::
|
||||||
A flag which can be used to override the global setting
|
A flag which can be used to override the global setting
|
||||||
`enable-subject-links'. Default value: none.
|
`enable-subject-links'. Default value: none.
|
||||||
|
|
||||||
|
enable-html-serving::
|
||||||
|
A flag which can be used to override the global setting
|
||||||
|
`enable-html-serving`. Default value: none.
|
||||||
|
|
||||||
repo.hide::
|
repo.hide::
|
||||||
Flag which, when set to "1", hides the repository from the repository
|
Flag which, when set to "1", hides the repository from the repository
|
||||||
index. The repository can still be accessed by providing a direct path.
|
index. The repository can still be accessed by providing a direct path.
|
||||||
|
|
|
||||||
1
shared.c
1
shared.c
|
|
@ -61,6 +61,7 @@ struct cgit_repo *cgit_add_repo(const char *url)
|
||||||
ret->enable_log_linecount = ctx.cfg.enable_log_linecount;
|
ret->enable_log_linecount = ctx.cfg.enable_log_linecount;
|
||||||
ret->enable_remote_branches = ctx.cfg.enable_remote_branches;
|
ret->enable_remote_branches = ctx.cfg.enable_remote_branches;
|
||||||
ret->enable_subject_links = ctx.cfg.enable_subject_links;
|
ret->enable_subject_links = ctx.cfg.enable_subject_links;
|
||||||
|
ret->enable_html_serving = ctx.cfg.enable_html_serving;
|
||||||
ret->max_stats = ctx.cfg.max_stats;
|
ret->max_stats = ctx.cfg.max_stats;
|
||||||
ret->branch_sort = ctx.cfg.branch_sort;
|
ret->branch_sort = ctx.cfg.branch_sort;
|
||||||
ret->commit_sort = ctx.cfg.commit_sort;
|
ret->commit_sort = ctx.cfg.commit_sort;
|
||||||
|
|
|
||||||
10
ui-plain.c
10
ui-plain.c
|
|
@ -37,6 +37,16 @@ static int print_object(const unsigned char *sha1, const char *path)
|
||||||
mimetype = get_mimetype_for_filename(path);
|
mimetype = get_mimetype_for_filename(path);
|
||||||
ctx.page.mimetype = mimetype;
|
ctx.page.mimetype = mimetype;
|
||||||
|
|
||||||
|
if (!ctx.repo->enable_html_serving) {
|
||||||
|
html("X-Content-Type-Options: nosniff\n");
|
||||||
|
html("Content-Security-Policy: default-src 'none'\n");
|
||||||
|
if (mimetype) {
|
||||||
|
/* Built-in white list allows PDF and everything that isn't text/ and application/ */
|
||||||
|
if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
|
||||||
|
ctx.page.mimetype = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!ctx.page.mimetype) {
|
if (!ctx.page.mimetype) {
|
||||||
if (buffer_is_binary(buf, size)) {
|
if (buffer_is_binary(buf, size)) {
|
||||||
ctx.page.mimetype = "application/octet-stream";
|
ctx.page.mimetype = "application/octet-stream";
|
||||||
|
|
|
||||||
Завантаження…
Посилання в новій задачі