cgit with patches for sandboxing using qssb
8a92df033e
While doing any kind of git loading, unset HOME variables and set NOSYSTEM variables so that cgit does not load any settings that a user may have set for his own /usr/bin/git usage. This fixes a fatal error introduced with git 1.8, whereupon git would fatally exit when failing to access particular files. The result of this is that only repo-local configuration files are accessed: zx2c4@thinkpad ~/Projects/cgit $ HOME=/root QUERY_STRING="url=foo/log" CGIT_CONFIG=tests/trash/cgitrc strace -e access ./cgit >/dev/null access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) access("repos/foo/.git/objects", X_OK) = 0 access("repos/foo/.git/refs", X_OK) = 0 access("repos/foo/.git/config", R_OK) = 0 access("repos/foo/.git/config", R_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 +++ exited with 0 +++ Reported-by: Ferry Huberts <ferry.huberts@pelagic.nl> Tested-by: Jason A. Donenfeld <Jason@zx2c4.com> Tested-by: Ferry Huberts <ferry.huberts@pelagic.nl> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> |
||
---|---|---|
filters | ||
git@5bda18c186 | ||
tests | ||
.gitignore | ||
.gitmodules | ||
cache.c | ||
cache.h | ||
cgit-doc.css | ||
cgit.c | ||
cgit.css | ||
cgit.h | ||
cgit.mk | ||
cgit.png | ||
cgitrc.5.txt | ||
cmd.c | ||
cmd.h | ||
configfile.c | ||
configfile.h | ||
COPYING | ||
gen-version.sh | ||
html.c | ||
html.h | ||
Makefile | ||
parsing.c | ||
README | ||
scan-tree.c | ||
scan-tree.h | ||
shared.c | ||
ui-atom.c | ||
ui-atom.h | ||
ui-blob.c | ||
ui-blob.h | ||
ui-clone.c | ||
ui-clone.h | ||
ui-commit.c | ||
ui-commit.h | ||
ui-diff.c | ||
ui-diff.h | ||
ui-log.c | ||
ui-log.h | ||
ui-patch.c | ||
ui-patch.h | ||
ui-plain.c | ||
ui-plain.h | ||
ui-refs.c | ||
ui-refs.h | ||
ui-repolist.c | ||
ui-repolist.h | ||
ui-shared.c | ||
ui-shared.h | ||
ui-snapshot.c | ||
ui-snapshot.h | ||
ui-ssdiff.c | ||
ui-ssdiff.h | ||
ui-stats.c | ||
ui-stats.h | ||
ui-summary.c | ||
ui-summary.h | ||
ui-tag.c | ||
ui-tag.h | ||
ui-tree.c | ||
ui-tree.h | ||
vector.c | ||
vector.h |
cgit - cgi for git This is an attempt to create a fast web interface for the git scm, using a builtin cache to decrease server io-pressure. Installation Building cgit involves building a proper version of git. How to do this depends on how you obtained the cgit sources: a) If you're working in a cloned cgit repository, you first need to initialize and update the git submodule: $ git submodule init # register the git submodule in .git/config $ $EDITOR .git/config # if you want to specify a different url for git $ git submodule update # clone/fetch and checkout correct git version b) If you're building from a cgit tarball, you can download a proper git version like this: $ make get-git When either a) or b) has been performed, you can build and install cgit like this: $ make $ sudo make install This will install cgit.cgi and cgit.css into "/var/www/htdocs/cgit". You can configure this location (and a few other things) by providing a "cgit.conf" file (see the Makefile for details). Dependencies: -git 1.7.4 -zip lib -crypto lib -openssl lib Apache configuration A new Directory-section must probably be added for cgit, possibly something like this: <Directory "/var/www/htdocs/cgit/"> AllowOverride None Options +ExecCGI Order allow,deny Allow from all </Directory> Runtime configuration The file /etc/cgitrc is read by cgit before handling a request. In addition to runtime parameters, this file may also contain a list of repositories displayed by cgit (see cgitrc.5.txt for further details). The cache When cgit is invoked it looks for a cachefile matching the request and returns it to the client. If no such cachefile exist (or if it has expired), the content for the request is written into the proper cachefile before the file is returned. If the cachefile has expired but cgit is unable to obtain a lock for it, the stale cachefile is returned to the client. This is done to favour page throughput over page freshness. The generated content contains the complete response to the client, including the http-headers "Modified" and "Expires". Online presence * The cgit homepage is hosted by cgit at http://git.zx2c4.com/cgit/about * Patches, bugreports, discussions and support should go to the cgit mailing list: cgit@hjemli.net