cgit with patches for sandboxing using qssb
Go to file
Jason A. Donenfeld 53efaf30b5 clone: fix directory traversal
This was introduced in the initial version of this code, way back when
in 2008.

$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root0:0:root:/root:/bin/sh
...

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>
2018-08-03 17:04:03 +02:00
contrib/hooks contrib/hooks: add sample post-receive hook using agefile 2015-08-12 14:06:36 +02:00
filters auth-filters: add simple file-based authentication scheme 2018-08-03 16:12:21 +02:00
git@53f9a3e157 git: update to v2.18.0 2018-06-27 18:13:03 +02:00
tests global: spelling fixes 2017-10-15 18:44:55 +02:00
.gitignore tests/.gitignore: update for using Git's test infrastructure 2013-04-08 22:27:53 +02:00
.gitmodules Use https for submodule 2017-09-22 00:52:57 +02:00
.mailmap Update .mailmap with my new email address 2017-07-27 16:20:44 +02:00
AUTHORS authors: specify maintainers 2014-01-14 02:00:07 +01:00
cache.c cache: close race window when unlocking slots 2018-06-27 18:13:03 +02:00
cache.h global: spelling fixes 2017-10-15 18:44:55 +02:00
cgit.c config: record repo.snapshot-prefix in the per-repo config 2018-08-03 16:12:21 +02:00
cgit.css css: use correct size in annotated decoration 2018-07-08 19:14:51 +02:00
cgit.h extra-head-content: introduce another option for meta tags 2018-07-03 20:37:00 +02:00
cgit.mk ui-blame: add blame UI 2017-10-03 19:19:34 +01:00
cgit.png shrink cgit.png file size 2015-02-15 22:06:24 +01:00
cgitrc.5.txt cgitrc.5: add local tar signature example 2018-07-05 02:40:48 +02:00
cmd.c ui-blame: add blame UI 2017-10-03 19:19:34 +01:00
cmd.h cmd: no need for pre function hook now 2015-08-14 15:54:32 +02:00
configfile.c configfile: fix EOF handling 2016-10-01 11:43:33 +01:00
configfile.h Use strbuf for reading configuration files 2013-08-12 13:14:10 -06:00
COPYING Update COPYING 2018-07-10 16:40:15 +02:00
favicon.ico Add favicon 2013-05-31 02:52:24 +02:00
filter.c filter: pipe_fh should be local 2017-10-14 16:13:07 +02:00
gen-version.sh gen-version.sh: check if git is available before trying to call it 2014-02-05 15:09:15 +01:00
html.c html: html_ntxt with no ellipsis 2017-10-03 19:19:34 +01:00
html.h html: html_ntxt with no ellipsis 2017-10-03 19:19:34 +01:00
Makefile Bump version. 2018-07-13 22:40:42 +02:00
parsing.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
README Hosted on HTTPS now 2016-06-07 14:49:35 +02:00
robots.txt robots.txt: disallow access to snapshots 2013-08-12 13:14:10 -06:00
scan-tree.c git: update to v2.14 2017-08-10 15:58:24 +02:00
scan-tree.h Add support for 'project-list' option 2010-08-04 03:09:32 +02:00
shared.c Fix gcc 8.1.1 compiler warnings 2018-07-04 03:13:41 +02:00
ui-atom.c ui-atom: properly escape delimiter in page link 2017-08-10 15:58:24 +02:00
ui-atom.h Add atom-support 2008-08-01 22:12:34 +02:00
ui-blame.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-blame.h ui-blame: add blame UI 2017-10-03 19:19:34 +01:00
ui-blob.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-blob.h readme: use string_list instead of space deliminations 2013-05-26 16:30:03 +02:00
ui-clone.c clone: fix directory traversal 2018-08-03 17:04:03 +02:00
ui-clone.h Switch to exclusively using global ctx 2014-01-17 00:44:54 +01:00
ui-commit.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-commit.h ui-commit: Limit diff based on path limit in qry.path 2010-06-19 10:40:23 +02:00
ui-diff.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-diff.h git: update to v2.10.0 2016-09-04 12:38:18 +02:00
ui-log.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-log.h ui-log: Add "commit-sort" option for controlling commit ordering 2012-10-17 16:30:29 +02:00
ui-patch.c cache: flush stdio before restoring FDs 2017-10-03 19:19:34 +01:00
ui-patch.h ui-patch: Rename variables 2013-08-20 19:55:54 +02:00
ui-plain.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-plain.h Switch to exclusively using global ctx 2014-01-17 00:44:54 +01:00
ui-refs.c ui-refs: use shared function to print tag downloads 2018-06-27 18:11:19 +02:00
ui-refs.h Fix missing prototype declarations 2016-01-14 14:02:29 +01:00
ui-repolist.c global: remove functionality we deprecated for cgit v1.0 2018-06-27 18:13:03 +02:00
ui-repolist.h Fix missing prototype declarations 2016-01-14 14:02:29 +01:00
ui-shared.c Fix gcc 8.1.1 compiler warnings 2018-07-04 03:13:41 +02:00
ui-shared.h ui-shared: pass separator in to cgit_print_snapshot_links() 2018-06-27 18:11:19 +02:00
ui-snapshot.c snapshot: support tar signature for compressed tar 2018-07-03 20:37:44 +02:00
ui-snapshot.h Remove unused parameter from cgit_print_snapshot() 2014-02-21 18:19:00 +01:00
ui-ssdiff.c Fix gcc 8.1.1 compiler warnings 2018-07-04 03:13:41 +02:00
ui-ssdiff.h Fix missing prototype declarations 2016-01-14 14:02:29 +01:00
ui-stats.c forms: action should not be empty 2016-05-12 21:29:49 +02:00
ui-stats.h ui-stats: make cgit_period definitions 'static const' 2015-03-09 17:40:02 +01:00
ui-summary.c ui-summary: send images plain for about page 2015-08-17 14:42:58 +02:00
ui-summary.h Fix missing prototype declarations 2016-01-14 14:02:29 +01:00
ui-tag.c ui-shared: pass separator in to cgit_print_snapshot_links() 2018-06-27 18:11:19 +02:00
ui-tag.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00
ui-tree.c git: update to v2.18.0 2018-06-27 18:13:03 +02:00
ui-tree.h Add separate header-files for each page/view 2008-03-24 16:38:47 +01:00

cgit - CGI for Git
==================

This is an attempt to create a fast web interface for the Git SCM, using a
built-in cache to decrease server I/O pressure.

Installation
------------

Building cgit involves building a proper version of Git. How to do this
depends on how you obtained the cgit sources:

a) If you're working in a cloned cgit repository, you first need to
initialize and update the Git submodule:

    $ git submodule init     # register the Git submodule in .git/config
    $ $EDITOR .git/config    # if you want to specify a different url for git
    $ git submodule update   # clone/fetch and checkout correct git version

b) If you're building from a cgit tarball, you can download a proper git
version like this:

    $ make get-git

When either a) or b) has been performed, you can build and install cgit like
this:

    $ make
    $ sudo make install

This will install `cgit.cgi` and `cgit.css` into `/var/www/htdocs/cgit`. You
can configure this location (and a few other things) by providing a `cgit.conf`
file (see the Makefile for details).

If you'd like to compile without Lua support, you may use:

    $ make NO_LUA=1

And if you'd like to specify a Lua implementation, you may use:

    $ make LUA_PKGCONFIG=lua5.1

If this is not specified, the Lua implementation will be auto-detected,
preferring LuaJIT if many are present. Acceptable values are generally "lua",
"luajit", "lua5.1", and "lua5.2".


Dependencies
------------

* libzip
* libcrypto (OpenSSL)
* libssl (OpenSSL)
* optional: luajit or lua, most reliably used when pkg-config is available

Apache configuration
--------------------

A new `Directory` section must probably be added for cgit, possibly something
like this:

    <Directory "/var/www/htdocs/cgit/">
        AllowOverride None
        Options +ExecCGI
        Order allow,deny
        Allow from all
    </Directory>


Runtime configuration
---------------------

The file `/etc/cgitrc` is read by cgit before handling a request. In addition
to runtime parameters, this file may also contain a list of repositories
displayed by cgit (see `cgitrc.5.txt` for further details).

The cache
---------

When cgit is invoked it looks for a cache file matching the request and
returns it to the client. If no such cache file exists (or if it has expired),
the content for the request is written into the proper cache file before the
file is returned.

If the cache file has expired but cgit is unable to obtain a lock for it, the
stale cache file is returned to the client. This is done to favour page
throughput over page freshness.

The generated content contains the complete response to the client, including
the HTTP headers `Modified` and `Expires`.

Online presence
---------------

* The cgit homepage is hosted by cgit at <https://git.zx2c4.com/cgit/about/>

* Patches, bug reports, discussions and support should go to the cgit
  mailing list: <cgit@lists.zx2c4.com>. To sign up, visit
  <https://lists.zx2c4.com/mailman/listinfo/cgit>