1
0
cgit with patches for sandboxing using qssb
Ir para o ficheiro
Jason A. Donenfeld 4458abf641 filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.

Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-11-24 11:31:43 +01:00
contrib/hooks contrib/hooks: add sample post-receive hook using agefile 2015-08-12 14:06:36 +02:00
filters about-formatting.sh: comment text out of date 2015-11-12 04:44:32 +01:00
git@22f698cb18 git: update to v2.6.1 2015-10-06 16:39:06 +02:00
tests tests: allow shell to be overridden 2015-08-13 15:36:18 +02:00
.gitignore tests/.gitignore: update for using Git's test infrastructure 2013-04-08 22:27:53 +02:00
.gitmodules Delete submodules.sh and prepare for using git-submodule 2007-09-03 22:54:51 +02:00
.mailmap mailmap: source before lighttpd 2014-01-17 16:04:27 +01:00
AUTHORS authors: specify maintainers 2014-01-14 02:00:07 +01:00
cache.c cache: fix resource leak: close file handle before return 2015-10-10 21:41:04 +02:00
cache.h Switch to exclusively using global ctx 2014-01-17 00:44:54 +01:00
cgit-doc.css Add cgit-doc.css 2009-02-12 10:24:25 +01:00
cgit.c filter: avoid integer overflow in authenticate_post 2015-11-24 11:31:43 +01:00
cgit.css Remove no-op link from submodule entries 2015-03-13 14:52:52 +01:00
cgit.h refactor get_mimetype_from_file() to get_mimetype_for_filename() 2015-08-17 14:25:08 +02:00
cgit.mk Makefile: add a target to run CGit through sparse 2015-03-09 17:38:22 +01:00
cgit.png shrink cgit.png file size 2015-02-15 22:06:24 +01:00
cgitrc.5.txt log: allow users to follow a file 2015-08-12 16:57:46 +02:00
cmd.c cmd: fix resource leak: free allocation from cgit_currenturl and fmtalloc 2015-10-09 14:03:58 +02:00
cmd.h cmd: no need for pre function hook now 2015-08-14 15:54:32 +02:00
configfile.c configfile.c: don't include system headers directly 2015-08-13 15:37:28 +02:00
configfile.h Use strbuf for reading configuration files 2013-08-12 13:14:10 -06:00
COPYING Add license file and copyright notices 2006-12-10 22:41:14 +01:00
favicon.ico Add favicon 2013-05-31 02:52:24 +02:00
filter.c filter: don't use dlsym unnecessarily 2015-08-13 15:39:06 +02:00
gen-version.sh gen-version.sh: check if git is available before trying to call it 2014-02-05 15:09:15 +01:00
html.c html: remove html_status() 2015-08-14 15:46:51 +02:00
html.h html: remove html_status() 2015-08-14 15:46:51 +02:00
Makefile Makefile: fix MAKEFLAGS tests with multiple flags 2015-10-09 10:56:06 +02:00
parsing.c Drop return value from parse_user() 2015-03-05 15:54:47 +01:00
README remove trailing whitespaces from source files 2014-04-17 12:55:09 +02:00
robots.txt robots.txt: disallow access to snapshots 2013-08-12 13:14:10 -06:00
scan-tree.c scan-tree: remove useless strdup() 2015-10-09 10:54:30 +02:00
scan-tree.h Add support for 'project-list' option 2010-08-04 03:09:32 +02:00
shared.c Avoid use of non-reentrant functions 2015-10-09 11:01:04 +02:00
ui-atom.c ui-atom: fix resource leak: free allocation from cgit_pageurl 2015-10-10 21:40:26 +02:00
ui-atom.h Add atom-support 2008-08-01 22:12:34 +02:00
ui-blob.c ui-blob: fix resource leak: free before return 2015-10-10 21:39:25 +02:00
ui-blob.h readme: use string_list instead of space deliminations 2013-05-26 16:30:03 +02:00
ui-clone.c clone: use cgit_print_error_page() instead of html_status() 2015-08-14 15:46:51 +02:00
ui-clone.h Switch to exclusively using global ctx 2014-01-17 00:44:54 +01:00
ui-commit.c commit: move layout into page function 2015-08-14 15:46:51 +02:00
ui-commit.h ui-commit: Limit diff based on path limit in qry.path 2010-06-19 10:40:23 +02:00
ui-diff.c diff: move layout to page function 2015-08-14 15:46:51 +02:00
ui-diff.h Allow for creating raw diffs with cgit_print_diff() 2013-08-16 13:15:37 -06:00
ui-log.c log: move layout into page function 2015-08-14 15:46:51 +02:00
ui-log.h ui-log: Add "commit-sort" option for controlling commit ordering 2012-10-17 16:30:29 +02:00
ui-patch.c patch: use cgit_print_error_page() for HTTP status codes 2015-08-14 15:46:51 +02:00
ui-patch.h ui-patch: Rename variables 2013-08-20 19:55:54 +02:00
ui-plain.c ui-plain: fix resource leak: free before assigning NULL 2015-10-09 15:50:34 +02:00
ui-plain.h Switch to exclusively using global ctx 2014-01-17 00:44:54 +01:00
ui-refs.c ui-refs: remove useless null check 2015-10-09 10:54:48 +02:00
ui-refs.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00
ui-repolist.c ui-repolist: fix resource leak: free allocation from cgit_currenturl 2015-10-09 15:49:57 +02:00
ui-repolist.h Prepare for 'about site' page / add 'root-readme' option to cgitrc 2008-04-29 01:06:30 +02:00
ui-shared.c ui-shared: fix resource leak: free allocation from cgit_hosturl 2015-10-09 14:04:42 +02:00
ui-shared.h ui-shared: return value of cgit_hosturl is not const 2015-10-09 14:04:27 +02:00
ui-snapshot.c snapshot: don't reimplement cgit_print_error_page() 2015-08-14 15:46:51 +02:00
ui-snapshot.h Remove unused parameter from cgit_print_snapshot() 2014-02-21 18:19:00 +01:00
ui-ssdiff.c ui-ssdiff: fix resource leak: free allocation from cgit_fileurl 2015-10-09 13:59:24 +02:00
ui-ssdiff.h ui-ssdiff: move LCS table away from the stack 2012-01-03 15:16:01 +00:00
ui-stats.c stats: move layout into page function 2015-08-14 15:46:51 +02:00
ui-stats.h ui-stats: make cgit_period definitions 'static const' 2015-03-09 17:40:02 +01:00
ui-summary.c ui-summary: send images plain for about page 2015-08-17 14:42:58 +02:00
ui-summary.h readme: use string_list instead of space deliminations 2013-05-26 16:30:03 +02:00
ui-tag.c tag: move layout into page function 2015-08-14 15:46:51 +02:00
ui-tag.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00
ui-tree.c ui-tree: fix resource leak: free before return 2015-10-09 13:58:25 +02:00
ui-tree.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00

cgit - CGI for Git
==================

This is an attempt to create a fast web interface for the Git SCM, using a
built-in cache to decrease server I/O pressure.

Installation
------------

Building cgit involves building a proper version of Git. How to do this
depends on how you obtained the cgit sources:

a) If you're working in a cloned cgit repository, you first need to
initialize and update the Git submodule:

    $ git submodule init     # register the Git submodule in .git/config
    $ $EDITOR .git/config    # if you want to specify a different url for git
    $ git submodule update   # clone/fetch and checkout correct git version

b) If you're building from a cgit tarball, you can download a proper git
version like this:

    $ make get-git

When either a) or b) has been performed, you can build and install cgit like
this:

    $ make
    $ sudo make install

This will install `cgit.cgi` and `cgit.css` into `/var/www/htdocs/cgit`. You
can configure this location (and a few other things) by providing a `cgit.conf`
file (see the Makefile for details).

If you'd like to compile without Lua support, you may use:

    $ make NO_LUA=1

And if you'd like to specify a Lua implementation, you may use:

    $ make LUA_PKGCONFIG=lua5.1

If this is not specified, the Lua implementation will be auto-detected,
preferring LuaJIT if many are present. Acceptable values are generally "lua",
"luajit", "lua5.1", and "lua5.2".


Dependencies
------------

* libzip
* libcrypto (OpenSSL)
* libssl (OpenSSL)
* optional: luajit or lua, most reliably used when pkg-config is available

Apache configuration
--------------------

A new `Directory` section must probably be added for cgit, possibly something
like this:

    <Directory "/var/www/htdocs/cgit/">
        AllowOverride None
        Options +ExecCGI
        Order allow,deny
        Allow from all
    </Directory>


Runtime configuration
---------------------

The file `/etc/cgitrc` is read by cgit before handling a request. In addition
to runtime parameters, this file may also contain a list of repositories
displayed by cgit (see `cgitrc.5.txt` for further details).

The cache
---------

When cgit is invoked it looks for a cache file matching the request and
returns it to the client. If no such cache file exists (or if it has expired),
the content for the request is written into the proper cache file before the
file is returned.

If the cache file has expired but cgit is unable to obtain a lock for it, the
stale cache file is returned to the client. This is done to favour page
throughput over page freshness.

The generated content contains the complete response to the client, including
the HTTP headers `Modified` and `Expires`.

Online presence
---------------

* The cgit homepage is hosted by cgit at <http://git.zx2c4.com/cgit/about/>

* Patches, bug reports, discussions and support should go to the cgit
  mailing list: <cgit@lists.zx2c4.com>. To sign up, visit
  <http://lists.zx2c4.com/mailman/listinfo/cgit>