cgit with patches for sandboxing using qssb
fe36f84d84
Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> |
||
---|---|---|
filters | ||
git@edca415256 | ||
tests | ||
.gitignore | ||
.gitmodules | ||
cache.c | ||
cache.h | ||
cgit-doc.css | ||
cgit.c | ||
cgit.css | ||
cgit.h | ||
cgit.mk | ||
cgit.png | ||
cgitrc.5.txt | ||
cmd.c | ||
cmd.h | ||
configfile.c | ||
configfile.h | ||
COPYING | ||
gen-version.sh | ||
html.c | ||
html.h | ||
Makefile | ||
parsing.c | ||
README | ||
scan-tree.c | ||
scan-tree.h | ||
shared.c | ||
ui-atom.c | ||
ui-atom.h | ||
ui-blob.c | ||
ui-blob.h | ||
ui-clone.c | ||
ui-clone.h | ||
ui-commit.c | ||
ui-commit.h | ||
ui-diff.c | ||
ui-diff.h | ||
ui-log.c | ||
ui-log.h | ||
ui-patch.c | ||
ui-patch.h | ||
ui-plain.c | ||
ui-plain.h | ||
ui-refs.c | ||
ui-refs.h | ||
ui-repolist.c | ||
ui-repolist.h | ||
ui-shared.c | ||
ui-shared.h | ||
ui-snapshot.c | ||
ui-snapshot.h | ||
ui-ssdiff.c | ||
ui-ssdiff.h | ||
ui-stats.c | ||
ui-stats.h | ||
ui-summary.c | ||
ui-summary.h | ||
ui-tag.c | ||
ui-tag.h | ||
ui-tree.c | ||
ui-tree.h | ||
vector.c | ||
vector.h |
cgit - cgi for git This is an attempt to create a fast web interface for the git scm, using a builtin cache to decrease server io-pressure. Installation Building cgit involves building a proper version of git. How to do this depends on how you obtained the cgit sources: a) If you're working in a cloned cgit repository, you first need to initialize and update the git submodule: $ git submodule init # register the git submodule in .git/config $ $EDITOR .git/config # if you want to specify a different url for git $ git submodule update # clone/fetch and checkout correct git version b) If you're building from a cgit tarball, you can download a proper git version like this: $ make get-git When either a) or b) has been performed, you can build and install cgit like this: $ make $ sudo make install This will install cgit.cgi and cgit.css into "/var/www/htdocs/cgit". You can configure this location (and a few other things) by providing a "cgit.conf" file (see the Makefile for details). Dependencies: -git 1.7.4 -zip lib -crypto lib -openssl lib Apache configuration A new Directory-section must probably be added for cgit, possibly something like this: <Directory "/var/www/htdocs/cgit/"> AllowOverride None Options +ExecCGI Order allow,deny Allow from all </Directory> Runtime configuration The file /etc/cgitrc is read by cgit before handling a request. In addition to runtime parameters, this file may also contain a list of repositories displayed by cgit (see cgitrc.5.txt for further details). The cache When cgit is invoked it looks for a cachefile matching the request and returns it to the client. If no such cachefile exist (or if it has expired), the content for the request is written into the proper cachefile before the file is returned. If the cachefile has expired but cgit is unable to obtain a lock for it, the stale cachefile is returned to the client. This is done to favour page throughput over page freshness. The generated content contains the complete response to the client, including the http-headers "Modified" and "Expires". Online presence * The cgit homepage is hosted by cgit at <http://git.zx2c4.com/cgit/about> * Patches, bugreports, discussions and support should go to the cgit mailing list: <cgit@lists.zx2c4.com>. To sign up, visit <http://lists.zx2c4.com/mailman/listinfo/cgit>