Commit Graph

57 Commits

Author SHA1 Message Date
Jason A. Donenfeld
77b6f83344 auth-filters: add simple file-based authentication scheme
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-03 16:12:21 +02:00
Jason A. Donenfeld
82856923bf auth-filters: use crypt() in simple-authentication
There's no use in giving a silly example to folks who will just copy it,
so instead try to do something slightly better.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-15 04:18:03 +02:00
Jason A. Donenfeld
b73df8098f auth-filters: generate secret securely
This is much better than having the user generate it themselves.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-15 03:30:57 +02:00
Jason A. Donenfeld
c4d23d02ec auth-filters: do not crash on nil username
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-14 05:10:28 +02:00
Jason A. Donenfeld
c3b5b5f648 auth-filters: do not use HMAC-SHA1
Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our
luck; SHA256 is more sensible anyway.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-14 03:33:56 +02:00
Jeff Smith
dbaee2672b ui-blame: Allow syntax highlighting
Place file contents into a single block so that syntax highlighting can
be applied in the usual fashion.  Place the alternating color bars
behind the file contents.  Force the default syntax highlighting
background to transparent.

Signed-off-by: Jeff Smith <whydoubt@gmail.com>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-01-19 11:40:58 +01:00
Ville Skyttä
67d0f87050 global: spelling fixes
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
2017-10-15 18:44:55 +02:00
Jason A. Donenfeld
5564a5d066 syntax-highlighting: replace invalid unicode with ? 2017-01-22 12:44:44 +01:00
Jason A. Donenfeld
7d51120440 md2html: use utf-8 and flush output buffer
Otherwise we get the classic Python UTF-8 errors, and the text is all
out of order. While we're at it, switch to python3 so we only have to
support one set of oddball semantics.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Suggested-by: Daniel Campbell <dlcampbell@gmx.com>
2016-06-17 12:28:03 +02:00
Jason A. Donenfeld
d88ec849c4 Hosted on HTTPS now 2016-06-07 14:49:35 +02:00
Jason A. Donenfeld
1892cd9a60 md2html: Do syntax highlighting too 2016-02-23 15:00:05 +01:00
Jason A. Donenfeld
d3756bd7b0 syntax-highlighting: always use utf-8 to avoid ascii codec issues 2016-01-18 11:14:06 +01:00
Jason A. Donenfeld
ffe09621f2 about-formatting.sh: comment text out of date 2015-11-12 04:44:32 +01:00
Christian Hesse
143e65252c filters: port syntax-highlighting.py to python 3.x
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-12 18:36:23 +02:00
Jason A. Donenfeld
3f9e14ada1 md2html: the default of stdin works fine
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12 18:33:46 +02:00
Jason A. Donenfeld
c301899112 filters: misc cleanups
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12 16:47:47 +02:00
Jason A. Donenfeld
ccb4254104 md2html: use pure python
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12 16:42:54 +02:00
Jason A. Donenfeld
525c815cc4 filters: Simplify converters
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-09 15:13:35 +02:00
Lazaros Koromilas
13c2d3df04 filters: apply HTML escaping
http://www.w3.org/International/questions/qa-escapes#use
2015-08-12 14:13:44 +02:00
Jason A. Donenfeld
7511f4b4df filters: Add sample gentoo script 2015-03-13 14:51:22 +01:00
Jason A. Donenfeld
ecd6b7230c simple-authentication.lua: tie secure cookies to field names 2015-03-05 15:51:22 +01:00
Chris Burroughs
62affc0e91 match other common markdown file extensions 2014-12-23 19:10:11 -07:00
Chris Burroughs
96ceb9a95a repolist: add owner-filter
This allows custom links to be used for repository owners by
configuring a filter to be applied in the "Owner" column in the
repository list.
2014-12-23 19:08:20 -07:00
Christian Hesse
10c5680efb filter: fix libravatar email-filter https issue
Serving cgit via https and getting avatar via http gives error messages
about untrusted content. This decides whether or not to use https link
by looking at the environment variable HTTPS, which is set in CGI.
2014-12-13 12:38:42 +01:00
Christian Hesse
b431282c91 remove trailing whitespaces from source files 2014-04-17 12:55:09 +02:00
Christian Hesse
e22e985416 filter: add libravatar email-filter lua script 2014-03-13 04:57:01 -06:00
Jason A. Donenfeld
aa6d5b105d simple-authentication: style
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-23 00:58:07 +01:00
Jason A. Donenfeld
9dde6d38e9 auth: document tweakables in lua script
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-17 15:34:44 +01:00
Jason A. Donenfeld
a431326e8f auth: have cgit calculate login address
This way we're sure to use virtual root, or any other strangeness
encountered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 23:21:54 +01:00
Jason A. Donenfeld
df00ab1096 auth: lua string comparisons are time invariant
By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 19:47:35 +01:00
Jason A. Donenfeld
b826537cb4 authentication: use hidden form instead of referer
This also gives us some CSRF protection. Note that we make use of the
hmac to protect the redirect value.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 12:13:39 +01:00
Jason A. Donenfeld
d6e9200cc3 auth: add basic authentication filter framework
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.

Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.

Very plugable and extendable depending on user needs.

The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 02:28:12 +01:00
Christian Hesse
8ae1d8b8fd email-gravatar: fix html syntax issues
an attribute value specification must be an attribute value literal
unless SHORTTAG YES is specified
2014-01-15 14:43:02 +01:00
Jason A. Donenfeld
5bda21faf4 email-gravatar: do not scale icons up
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 18:57:51 +01:00
Jason A. Donenfeld
6ca734da8f filter: allow returning exit code from filter
Filters can now indicate a status back to cgit by means of the exit code
for exec, or the return value from close for Lua.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 18:09:52 +01:00
Christian Hesse
1167dbb95b email-gravatar: fix html syntax issues
* make ampersand a html entity
* add required alt attribute
* add required img end tag
2014-01-14 13:55:44 +01:00
Christian Hesse
46176eca7f email-gravatar.py: fix UTF-8 2014-01-14 13:55:35 +01:00
Christian Hesse
50287e7912 email-gravatar.lua: fix for lua 5.2 2014-01-14 13:55:25 +01:00
Jason A. Donenfeld
786609bd36 filter: add page source to email filter
Since the email filter is called from lots of places, the script might
benefit from knowing the origin. That way it can modify its contents
and/or size depending.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 02:00:07 +01:00
Jason A. Donenfeld
e942a1622b filter: add gravatar scripts
The lua one is hugely faster than the python one, but both are included
for comparison.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 02:00:07 +01:00
Stefan Tatschner
ceffeb5d52 filters: Improved syntax-highlighting.py
- Switched back to python2 according to a problem in pygments with python3.
  With the next release of pygments this problem should be fixed.
  Issue see here:
  https://bitbucket.org/birkenfeld/pygments-main/issue/901/problems-with-python3
- Just read the stdin, decode it to utf-8 and ignore unknown signs. This ensures
  that even destroyed files do not cause any errors in the filter.
- Improved language guessing:
  -> At first use guess_lexer_for_filename for a better detection of the used
     programming languages (even mixed cases will be detected, e.g. php + html).
  -> If nothing was found look if there is a shebang and use guess_lexer.
  -> As default/fallback choose TextLexer.

Signed-off-by: Stefan Tatschner <stefan@sevenbyte.org>
2014-01-13 22:48:51 +01:00
Přemysl Janouch
b6da53dd75 Fix UTF-8 with syntax-highlighting.py
Previously the script tried to encode output from Pygments with
the ASCII codec, which failed.

Signed-off-by: Přemysl Janouch <p.janouch@gmail.com>
2014-01-08 16:49:42 +01:00
Přemysl Janouch
f1fb521a05 Fix about-formatting.sh
dash failed to parse the script.

Signed-off-by: Přemysl Janouch <p.janouch@gmail.com>
2014-01-08 16:46:51 +01:00
Ferry Huberts
09a28d761e filters: highlight.sh: add css comments for highlight 2.6 and 3.8
v2: add highlight 3.13 as present on Fedora 19

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2014-01-08 16:41:26 +01:00
Jason A. Donenfeld
6d6f8bdeed filters: toggle perl utf8 situation
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-28 07:55:40 +02:00
Jason A. Donenfeld
8149be213f filters: import more modern scripts
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-27 21:54:16 +02:00
Jason A. Donenfeld
7ea35f9f8e syntax-highlighting.sh: Fix command injection.
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.
2012-10-27 20:05:50 -06:00
Ferry Huberts
d14faf4424 syntax-highlight: when the file has no extension, assume text
There are 2 situations:
1- empty extension: assuming text is better than highlight
   producing no output because of a missing argument.
2- no extension at all: assuming text is better than setting
   the extension to the filename, which is what now happens.

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-10-09 13:19:12 +02:00
Ferry Huberts
2ad9063cb5 Revert "filters/syntax-highlighting.sh: work around highlight --force bug"
This reverts commit f50be7fda0.

An update with the latest highlight landed in EPEL. This new version
doesn't have the --force bug, so the workaround can now be removed.

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-10-09 13:12:09 +02:00
Lars Hjemli
08352c7a02 Merge branch 'stable' 2012-03-18 20:23:30 +00:00