Age | Commit message (Collapse) | Author |
|
Enhancements:
- path-selected submodule links
- intelligent default branch guessing
- /etc/mime.types lookup
- gitweb.* and cgit.* git-config support
- case insensitive sorting and age sorting
- commit, repository, and section sorting
- bold currently viewed page in pagination
- support BSDs in makefile
Security:
- CVE-2012-4465: heap-buffer overflow in parsing.c
- CVE-2012-4548: syntax highlighting command injection
Bug Fixes:
- transition maintainer to Jason Donenfeld (zx2c4)
- download git snapshot from github instead of Lars' old server
- css fixes
- stablization of tests
- more compatible default highlight script
- suppress gzip timestamp so that tarballs only use tar timestamps
- treat ctags as target in makefile
- do not let global variables override certain local repo settings
- print ampersand as proper html entity
- use placeholder for empty commit subject
- format diff view for addition and removal of files
- point links at correct blob from ssdiff
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
Previously, the id_str (i.e. the current or diffed-against commit's
SHA1 ID) was simply concatenated to the URL. Now, prepend an "id="
string so that the links actually point to the right blobs and thus
the exact lines.
Signed-off-by: Julius Plenz <plenz@cis.fu-berlin.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Copying the output of cgit and using it in patches now works when adding
files to or removing files from the repository. This is helpful for people
who use cgit in their patch workflow.
|
|
Github will have more bandwidth than Lars' server.
|
|
Remove tags file from working directory.
Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
|
|
Display a placeholder when creating links to commits with empty subjects.
This avoids the creation of links of the form <a></a>.
|
|
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.
This patch adds simple argument quoting.
|
|
|
|
|
|
According to Dan Rue <drue@therub.org>, FreeBSD requires the lib paths
to get libiconv from /usr/local.
|
|
Since we're now properly writing ampersand literals as & instead of
as a plain &, we need to update the test accordingly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This makes it possible to use strict commit date ordering or strict
topological ordering by passing the corresponding flags to "git log".
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Flag which, when set to "1", will sort the sections on the repository
listing by name. Set this flag to "0" if the order in the cgitrc file
should be preserved. Default value: "1".
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
After some back and forth with Jamie and René, it looks like the git
config semantics are going to be like this:
- gitweb.category maps to the cgit repo config key "section"
- gitweb.description maps to the cgit repo config key "desc"
- gitweb.owner maps to the cgit repo config key "owner"
- cgit.* maps to all cgit repo config keys
This option can be enabled with "enable-git-config=1", and replaces
all previous "enable-gitweb-*" config keys.
The order of operations is as follows:
- git config settings are applied in the order that they exist in
the git config file
- if the owner is not set from git config, get the owner using the
usual getpwuid call
- if the description is not set from git config, look inside the
static $path/description file
- if section-from-path=1, override whatever previous settings were
inside of git config using the section-from-path logic
- parse $path/cgitrc for local repo.* settings, that override all
previous settings
|
|
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This makes it possible to activate the enable_commit_graph,
enable_log_filecount, and enable_log_linecount for individual
repositories, even if the global setting is "0" (default).
The commit that introduced the broken behavior was e189344, and the
commit message of that makes it clear that this wasn't the intended
behavior.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
There are 2 situations:
1- empty extension: assuming text is better than highlight
producing no output because of a missing argument.
2- no extension at all: assuming text is better than setting
the extension to the filename, which is what now happens.
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
This reverts commit f50be7fda0a7ab57009169dd5905fcbab8eb5166.
An update with the latest highlight landed in EPEL. This new version
doesn't have the --force bug, so the workaround can now be removed.
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
|
|
Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
|
|
* parsing.c (substr): Handle tail < head.
This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.
The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:
$ git log -1
commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
Author: <T at h.or>
Date: Mon Apr 23 22:29:16 2012 +0200
Here's what happens:
(this is due to buf=malloc(0); strncpy (buf, head, -1);
where "head" may point to plenty of attacker-specified non-NUL bytes,
so we can overwrite a zero-length heap buffer with arbitrary data)
Invalid write of size 1
at 0x4A09361: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
at 0x4A0884D: malloc (vg_replace_malloc.c:263)
by 0x455C85: xmalloc (wrapper.c:35)
by 0x40894C: substr (parsing.c:60)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
Invalid write of size 1
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd
Invalid write of size 1
at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x502F000
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
This happens when tail - head == -1 here:
(parsing.c)
char *substr(const char *head, const char *tail)
{
char *buf;
buf = xmalloc(tail - head + 1);
strncpy(buf, head, tail - head);
buf[tail - head] = '\0';
return buf;
}
char *parse_user(char *t, char **name, char **email, unsigned long *date)
{
char *p = t;
int mode = 1;
while (p && *p) {
if (mode == 1 && *p == '<') {
*name = substr(t, p - 1);
t = p;
mode++;
} else if (mode == 1 && *p == '\n') {
The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.
And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID. To construct the offending commit, I had to resort to
using "git hash-object".
git init -q foo &&
( cd foo &&
echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
h=$(git cat-file commit HEAD|sed 's/au //' \
|git hash-object -t commit -w --stdin) &&
git co -q -b test $h &&
git br -q -D master &&
git br -q -m test master)
git clone -q --bare foo foo.git
cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit
The valgrind output is what you see above.
AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault. Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
|
|
Since cgit snapshots of tags are often used for releases, we don't
want the rarely used feature of the gzip compressor that includes
an embedded timestamp into the archive, since this makes each tarball
of the same (potentially signed) tag different.
This commit refactors the archive handling code a bit so that each
different format is able to run with an arbitrary argv for the filter.
|
|
|
|
Add two options, one for doing the ordinary name sorts in a
case-insensitive manner, and another for choosing to sort repos in each
section by age instead of by name.
|
|
Use gitweb.category from git config to determine repo's section, if
option is enabled.
|
|
Use gitweb.description instead of description file to determine
description, if option is enabled.
|
|
Don't bother with 'body' and 'div#cgit form', since
everything is wrapped in 'div#cgit' already.
Removing these two types makes embedding even easier.
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
|
|
|
|
|
|
|
|
improves readability when embedding into a page that
has the text color set to a different color
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
When embedding cgit in other pages, the logo alignment needs to be
specified to avoid any css rules from the embedding page to make the
page look bad.
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
to facilitate easier embedding
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
|
|
|
|
v2: incorporate remarks of Lukas
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
v2: incorporate remarks of Lukas
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
|
|
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
|
|
ctx.qry.head can be NULL in some cases due to bad requests
by weird bots. I managed to reproduce with:
PATH_INFO=/repo.git/shop.php QUERY_STRING=id=
Signed-off-by: Eric Wong <normalperson@yhbt.net>
|
|
**L would have worked well too. Depending on the distribution sizeof *L
may return 8 instead of 4. **L is preferable, but since we don't expect
this datatype to change very often, sizeof int is less subtle and easier
to understand.
Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
|
|
Each individual string may be too long for its respective
dimension of the LCS table.
Signed-off-by: Eric Wong <normalperson@yhbt.net>
|
|
|
|
When a repository is empty, the ATOM feed link is written in the header,
but this involves formatting ctx->qry.head which is NULL in this case.
With glibc, vsnprintf formats "%s" with a NULL input as "(null)" but on
Solaris this results in a segmentation fault. Since we don't have a
meaningful head for the atom feed in an empty repository, it's simplest
not to write out the link element at all.
Signed-off-by: John Keeping <john@metanate.com>
|