Commit Graph

983 Commits

Author SHA1 Message Date
Tobias Bieniek
8f40be229c repo_config: do not let globals override repo settings
This makes it possible to activate the enable_commit_graph,
enable_log_filecount, and enable_log_linecount for individual
repositories, even if the global setting is "0" (default).

The commit that introduced the broken behavior was e189344, and the
commit message of that makes it clear that this wasn't the intended
behavior.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2012-10-16 23:00:50 +02:00
Jason A. Donenfeld
a9a6a20560 README: times, they are a-changin 2012-10-09 13:21:30 +02:00
Ferry Huberts
d14faf4424 syntax-highlight: when the file has no extension, assume text
There are 2 situations:
1- empty extension: assuming text is better than highlight
   producing no output because of a missing argument.
2- no extension at all: assuming text is better than setting
   the extension to the filename, which is what now happens.

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-10-09 13:19:12 +02:00
Ferry Huberts
e52a5226b8 ui-repolist: do not use agefile if it's date could not be parsed
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-10-09 13:14:21 +02:00
Ferry Huberts
2ad9063cb5 Revert "filters/syntax-highlighting.sh: work around highlight --force bug"
This reverts commit f50be7fda0.

An update with the latest highlight landed in EPEL. This new version
doesn't have the --force bug, so the workaround can now be removed.

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-10-09 13:12:09 +02:00
Jamie Couture
6419c9b57c Makefile: add tag target to generate ctags
Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
2012-10-08 23:40:23 +02:00
Jamie Couture
4675b91211 ui-repolist: Bold the currently viewed page.
Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
2012-10-08 23:29:29 +02:00
Jim Meyering
61d4147ea2 do not write outside heap buffer
* parsing.c (substr): Handle tail < head.

This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.

The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:

    $ git log -1
    commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
    Author: <T at h.or>
    Date:   Mon Apr 23 22:29:16 2012 +0200

Here's what happens:

(this is due to buf=malloc(0); strncpy (buf, head, -1);
 where "head" may point to plenty of attacker-specified non-NUL bytes,
 so we can overwrite a zero-length heap buffer with arbitrary data)

 Invalid write of size 1
    at 0x4A09361: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
    by 0x455C85: xmalloc (wrapper.c:35)
    by 0x40894C: substr (parsing.c:60)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)

 Invalid write of size 1
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd

 Invalid write of size 1
    at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd

 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x502F000
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)

This happens when tail - head == -1 here:
(parsing.c)

  char *substr(const char *head, const char *tail)
  {
          char *buf;

          buf = xmalloc(tail - head + 1);
          strncpy(buf, head, tail - head);
          buf[tail - head] = '\0';
          return buf;
  }

  char *parse_user(char *t, char **name, char **email, unsigned long *date)
  {
          char *p = t;
          int mode = 1;

          while (p && *p) {
                  if (mode == 1 && *p == '<') {
                          *name = substr(t, p - 1);
                          t = p;
                          mode++;
                  } else if (mode == 1 && *p == '\n') {

The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.

And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID.  To construct the offending commit, I had to resort to
using "git hash-object".

git init -q foo &&
( cd foo &&
  echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
  h=$(git cat-file commit HEAD|sed 's/au //' \
    |git hash-object -t commit -w --stdin) &&
  git co -q -b test $h &&
  git br -q -D master &&
  git br -q -m test master)
git clone -q --bare foo foo.git

cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit

The valgrind output is what you see above.

AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault.  Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
2012-10-02 04:03:47 +02:00
Jason A. Donenfeld
055e092a33 ui-snapshot: pass -n to gzip, to suppress timestamp
Since cgit snapshots of tags are often used for releases, we don't
want the rarely used feature of the gzip compressor that includes
an embedded timestamp into the archive, since this makes each tarball
of the same (potentially signed) tag different.

This commit refactors the archive handling code a bit so that each
different format is able to run with an arbitrary argv for the filter.
2012-09-27 03:35:25 +02:00
Jason A. Donenfeld
7f08e03941 Update copyright headers to have latest dates. 2012-07-12 20:01:46 +02:00
Jason A. Donenfeld
184c5655b2 ui-repolist: Case insensitive sorting and age sort
Add two options, one for doing the ordinary name sorts in a
case-insensitive manner, and another for choosing to sort repos in each
section by age instead of by name.
2012-07-12 20:01:46 +02:00
Jason A. Donenfeld
fc9181ff3d scan-tree: Support gitweb.category.
Use gitweb.category from git config to determine repo's section, if
option is enabled.
2012-07-12 20:01:46 +02:00
Jason A. Donenfeld
b56be4ba3a scan-tree: Support gitweb.description.
Use gitweb.description instead of description file to determine
description, if option is enabled.
2012-07-12 20:01:46 +02:00
Ferry Huberts
45555512ba css: only use div#cgit
Don't bother with 'body' and 'div#cgit form', since
everything is wrapped in 'div#cgit' already.
Removing these two types makes embedding even easier.

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-03-20 07:00:20 +00:00
Lars Hjemli
ae90a0b2d1 Merge branch 'fh/mimetypes' 2012-03-18 21:01:28 +00:00
Lars Hjemli
181b6e789b Merge branch 'jp/defbranch' 2012-03-18 21:00:18 +00:00
Lars Hjemli
2b9fab8d30 Merge branch 'lh/module-links' 2012-03-18 20:59:36 +00:00
Lars Hjemli
08352c7a02 Merge branch 'stable' 2012-03-18 20:23:30 +00:00
Ferry Huberts
6e63ebfe00 css: force text color to black on decorations
improves readability when embedding into a page that
has the text color set to a different color

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-03-18 20:22:51 +00:00
Ferry Huberts
fac65a7ed2 css: vertically align the cgit logo image
When embedding cgit in other pages, the logo alignment needs to be
specified to avoid any css rules from the embedding page to make the
page look bad.

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-03-18 20:22:18 +00:00
Ferry Huberts
add1ccb1d8 css: prefix all styles with div#cgit
to facilitate easier embedding

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-03-18 20:22:02 +00:00
Ferry Huberts
f50be7fda0 filters/syntax-highlighting.sh: work around highlight --force bug 2012-03-18 20:12:36 +00:00
Ferry Huberts
375353caff filters/highlight.sh: manually support highlight version 2 and 3 2012-03-18 20:12:35 +00:00
Ferry Huberts
561959cffa tests: properly quote arguments to printf
v2: incorporate remarks of Lukas

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-03-18 10:54:50 +00:00
Ferry Huberts
f8492f79a3 tests: handle paths with whitespace
v2: incorporate remarks of Lukas

Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
2012-03-18 10:54:42 +00:00
Lars Hjemli
7996157f14 Merge branch 'stable' 2012-03-18 10:19:59 +00:00
Lars Hjemli
e032761a5e CGIT-0.9.0.3
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2012-03-18 10:16:27 +00:00
Lars Hjemli
961893b547 Merge branch 'stable' 2012-03-18 10:10:10 +00:00
Eric Wong
21418ec42a segfault fix on some bogus requests
ctx.qry.head can be NULL in some cases due to bad requests
by weird bots.  I managed to reproduce with:

   PATH_INFO=/repo.git/shop.php QUERY_STRING=id=

Signed-off-by: Eric Wong <normalperson@yhbt.net>
2012-03-18 09:26:31 +00:00
Jamie Couture
6a575b8900 use correct type for sizeof
**L would have worked well too.  Depending on the distribution sizeof *L
may return 8 instead of 4. **L is preferable, but since we don't expect
this datatype to change very often, sizeof int is less subtle and easier
to understand.

Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
2012-03-18 09:26:31 +00:00
Eric Wong
19c31231fa ui-ssdiff.c: correct length check for LCS table
Each individual string may be too long for its respective
dimension of the LCS table.

Signed-off-by: Eric Wong <normalperson@yhbt.net>
2012-01-08 10:01:49 +00:00
Lars Hjemli
1de3048d08 Merge branch 'stable' 2012-01-03 21:19:29 +00:00
John Keeping
94b7c76e53 Fix segmentation fault in empty repository
When a repository is empty, the ATOM feed link is written in the header,
but this involves formatting ctx->qry.head which is NULL in this case.
With glibc, vsnprintf formats "%s" with a NULL input as "(null)" but on
Solaris this results in a segmentation fault.  Since we don't have a
meaningful head for the atom feed in an empty repository, it's simplest
not to write out the link element at all.

Signed-off-by: John Keeping <john@metanate.com>
2012-01-03 21:00:30 +00:00
Lars Hjemli
aa25ff3c8b Merge branch 'stable' 2012-01-03 16:48:22 +00:00
Lars Hjemli
fbd254d54e Makefile: fetch git tarballs from http://hjemli.net/git/git/
The git tarballs are currently not available from kernel.org, so for now
the makefile will download autogenerated tarballs from cgit.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2012-01-03 16:43:33 +00:00
Norberto Lopes
dad620ee56 fix css color value and vertical-align value 2012-01-03 16:25:46 +00:00
Tim Chen
1957425726 ui-ssdiff.c: set correct diffmode in "control panel"
When side-by-side-diffs=1 was set in cgitrc, specifying 'ss=0' in the
querystring would not set the 'unified' option as active in the dropdown
box used to select diffmode.
2012-01-03 16:09:59 +00:00
Lars Hjemli
04254fa903 Merge branch 'stable' 2012-01-03 16:06:58 +00:00
Tim Chen
f2ced535e9 Fix diff mode switching when side-by-side-diffs=1
When side-by-side-diffs=1 was set in cgitrc, specyfing 'ss=0' in the query-
string would not switch to unified diffs. This patch fixes the issue by
introducing a separate variable to track the occurrence of "ss" in the
querystring.
2012-01-03 16:02:14 +00:00
Georg Müller
0b6a716d1b ui-log.c: do not show remote heads if enable-remote-branches=0
If remote branches are not enabled, the branches are still listed in
the log view. This patch removes them if enable-remote-branches=0.
2012-01-03 15:35:06 +00:00
Tobias Grimm
7530d94f05 Add sort parameter to pager of repo list
When the repolist is paged, the page-links are missing the sort parameter,
causing the initial page to be custom sorted, but any clicked page will
then be with the default sort order again.
2012-01-03 15:20:17 +00:00
Jamie Couture
e19f7d7180 ui-ssdiff: move LCS table away from the stack
Printing deferred line changes for files containing long lines would
cause a segfault.

- limit LCS table size: 128x128.
- move LCS table to global context: avoid allocating/freeing memory
  for every deferred line change.

Signed-off-by: Jamie Couture <jamie.couture@gmail.com>
2012-01-03 15:16:01 +00:00
Lukas Fleischer
d96d2c98eb shared.c: Only setenv() if value is non-null
Some setenv() implementations (e.g. the one in OpenBSD's stdlib)
segfault if we pass a NULL value. Only set environment variables if the
corresponding settings are defined to avoid this.

Note that this is a minor behaviour change as environment variables were
supposed to be set to an empty string if a setting was undefined. Given
that this feature isn't part of any official release yet, there's no
need to worry about backwards compatibility, really. Change the
documentation accordingly.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2012-01-03 14:59:36 +00:00
Lukas Fleischer
8185169e5e shared.c: Remove unused "linux/limits.h" include
This isn't used anywhere and prevents the code from being compiled on
other platforms, such as *BSD.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2012-01-03 14:53:41 +00:00
Lars Hjemli
756e3ea639 Merge branch 'stable' 2011-07-22 12:22:17 +00:00
Lukas Fleischer
bebe89d7c1 Fix potential XSS vulnerability in rename hint
The file name displayed in the rename hint should be escaped to avoid
XSS. Note that this vulnerability is only applicable when an attacker
has gained push access to the repository.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-07-22 12:21:28 +00:00
Lukas Fleischer
1e25ac5b8f Remove dead initialization in cgit_parse_commit()
The value stored to "t" during its initialization gets overwritten in
any case, so just leave it uninitialized. Spotted by clang-analyzer.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-07-22 12:21:11 +00:00
Lars Hjemli
bf8c7a4c93 Merge branch 'stable' 2011-07-21 14:27:03 +00:00
Lars Hjemli
654ebb55d4 CGIT 0.9.0.2
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-07-21 14:24:10 +00:00
Eric Wong
9cae75d040 html.c: avoid out-of-bounds access for url_escape_table
This fixes a segfault for me with with -O2 optimization on x86
with gcc (Debian 4.4.5-8) 4.4.5

I can reliably reproduce it with the following parameters
when pointed to the git.git repository:

PATH_INFO='/git-core.git/diff/'
QUERY_STRING='id=2b93bfac0f5bcabbf60f174f4e7bfa9e318e64d5&id2=d6da71a9d16b8cf27f9d8f90692d3625c849cbc8'

Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-07-21 14:21:52 +00:00