Commit Graph

285 Commits

Author SHA1 Message Date
Jason A. Donenfeld
1c581a0726 ui-blob: Do not accept mimetype from user 2016-01-14 14:31:13 +01:00
Jason A. Donenfeld
4458abf641 filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.

Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-11-24 11:31:43 +01:00
John Keeping
94182d6031 cgit.c: remove useless null check
Everywhere else in this function we do not check whether the value is
null and parse_configfile() never passes a null value to this callback.

Coverity-id: 13846
Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09 10:54:19 +02:00
Jason A. Donenfeld
03de473354 cmd: no need for pre function hook now
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-08-14 15:54:32 +02:00
John Keeping
a420c7ce9b cmd: remove "want_layout" field
No commands use this any more.

Signed-off-by: John Keeping <john@keeping.me.uk>
2015-08-14 15:46:51 +02:00
John Keeping
e9b71ae6fe cgit: use cgit_print_error_page() where appropriate
These are more-or-less one-to-one translations but in the final hunk we
gain an HTTP error code where we used to send "200 OK", which is an
improvement.

Signed-off-by: John Keeping <john@keeping.me.uk>
2015-08-14 15:46:51 +02:00
John Keeping
30304d8156 log: allow users to follow a file
Teach the "log" UI to behave in the same way as "git log --follow", when
given a suitable instruction by the user.  The default behaviour remains
to show the log without following renames, but the follow behaviour can
be activated by following a link in the page header.

Follow is not the default because outputting merges in follow mode is
tricky ("git log --follow" will not show merges).  We also disable the
graph in follow mode because the commit graph is not simplified so we
end up with frequent gaps in the graph and many lines that do not
connect with any commits we're actually showing.

We also teach the "diff" and "commit" UIs to respect the follow flag on
URLs, causing the single-file version of these UIs to detect renames.
This feature is needed only for commits that rename the path we're
interested in.

For commits before the file has been renamed (i.e. that appear later in
the log list) we change the file path in the links from the log to point
to the old name; this means that links to commits always limit by the
path known to that commit.  If we didn't do this we would need to walk
down the log diff'ing every commit whenever we want to show a commit.
The drawback is that the "Log" link in the top bar of such a page links
to the log limited by the old name, so it will only show pre-rename
commits.  I consider this a reasonable trade-off since the "Back" button
still works and the log matches the path displayed in the top bar.

Since following renames requires running diff on every commit we
consider, I've added a knob to the configuration file to globally
enable/disable this feature.  Note that we may consider a large number
of commits the revision walking machinery no longer performs any path
limitation so we have to examine every commit until we find a page full
of commits that affect the target path or something related to it.

Suggested-by: René Neumann <necoro@necoro.eu>
Signed-off-by: John Keeping <john@keeping.me.uk>
2015-08-12 16:57:46 +02:00
Jason A. Donenfeld
d7034806a4 about: always ensure page has a trailing slash
Otherwise we can't easily embed links to other /about/ pages.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-08-12 15:03:32 +02:00
Christian Hesse
de83de276b git: update to v2.5.0
Update to git version v2.5.0.

* Upstream commit 5455ee0573a22bb793a7083d593ae1ace909cd4c (Merge branch
  'bc/object-id') changed API:

  for_each_ref() callback functions were taught to name the objects
  not with "unsigned char sha1[20]" but with "struct object_id".

* Upstream commit dcf692625ac569fefbe52269061230f4fde10e47 (path.c: make
  get_pathname() call sites return const char *)

Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-12 14:09:05 +02:00
Daniel Reichelt
dc41a00180 Fix processing of repo.hide and repo.ignore
If the global option enable-filter-overrides is set to 1 the repo-specific
options repo.hide and repo.ignore never got processed.

Signed-off-by: Daniel Reichelt <hacking@nachtgeist.net>
Reviewed-by: John Keeping <john@keeping.me.uk>
2015-08-12 14:08:15 +02:00
Jason A. Donenfeld
f3ab1f178f cgit: remember to set up env vars before empty clone path 2015-03-09 17:42:12 +01:00
John Keeping
e3d3fffdd4 Avoid non-ANSI function declarations
Sparse says things like:

	warning: non-ANSI function declaration of function 'calc_ttl'

Signed-off-by: John Keeping <john@keeping.me.uk>
2015-03-09 17:38:30 +01:00
Jason A. Donenfeld
bd24832cd7 cgit: show clone URLs for empty repo 2015-03-05 02:32:13 +01:00
Christian Hesse
7358f63015 git: update for v2.3.0
* sort_string_list(): rename to string_list_sort() (upstream commit
  3383e199)
* update read_tree_recursive callback to pass strbuf as base (upstream
  commit 6a0b0b6d)

Signed-off-by: Christian Hesse <mail@eworm.de>
2015-02-08 18:11:09 +01:00
Lukas Fleischer
c58cec9dff Add repo.hide and repo.ignore
These options can be used to hide a repository from the index or
completely ignore a repository, respectively. They are particularly
useful when used in combination with scan-path.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2015-01-29 16:41:14 +01:00
Chris Burroughs
96ceb9a95a repolist: add owner-filter
This allows custom links to be used for repository owners by
configuring a filter to be applied in the "Owner" column in the
repository list.
2014-12-23 19:08:20 -07:00
Christian Hesse
17838ec630 git: update to v2.2.1
Update to git version v2.2.1, including API changes.

Signed-off-by: Christian Hesse <mail@eworm.de>
2014-12-23 18:53:03 -07:00
John Keeping
1830271c59 Change "ss" diff flag to an enum
This will allow us to introduce a new "stat only" diff mode without
needing an explosion of mutually incompatible flags.

The old "ss" query parameter is still accepted in order to avoid
breaking saved links, but we no longer generate any URIs using it;
instead the new "dt" (diff type) parameter is used.

Signed-off-by: John Keeping <john@keeping.me.uk>
2014-12-13 12:38:42 +01:00
Lukas Fleischer
9dd67272ed Always check if README exists in choose_readme()
Specifying a nonexistent README file via the readme option is sometimes
useful, e.g. when using scan-path and setting a global default.
Currently, we check whether there is only one option in the readme
option and, if so, we choose that file without checking whether it
exists. As a consequence, all repositories are equipped with an about
link in the aforementioned scenario, even if there is no about file.
Remove the early check for the number of keys and always check whether
the file exists instead.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-08-07 14:38:02 +02:00
Christian Hesse
79c985e13c git: update for git 2.0
prefixcmp() and suffixcmp() have been remove, functionality is now
provided by starts_with() and ends_with(). Retrurn values have been
changed, so instead of just renaming we have to fix logic.
Everything else looks just fine.
2014-06-28 15:14:56 +02:00
Lukas Fleischer
a3722ec3c6 Add a cache-snapshot-ttl configuration variable
This can be used to specify the TTL for snapshots. Snapshots are usually
static and do not ever change. On the other hand, tarball generation is
CPU intensive.

One use case of this setting (apart from increasing the lifetime of
snapshot cache slots) is caching of snapshots while disabling the cache
for static/dynamic HTML pages (by setting TTL to zero for everything
except for snapshot requests).

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-02-20 19:56:44 +01:00
Jason A. Donenfeld
6a1563343c cgit: add --version argument for printing info
We need this to do runtime tests for make test.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-20 13:05:08 +01:00
Jason A. Donenfeld
9999b0a3e9 cgit.c: free tmp variable
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-17 00:48:17 +01:00
Lukas Fleischer
f60ffa143c Switch to exclusively using global ctx
Drop the context parameter from the following functions (and all static
helpers used by them) and use the global context instead:

* cgit_print_http_headers()
* cgit_print_docstart()
* cgit_print_pageheader()

Remove context parameter from all commands

Drop the context parameter from the following functions (and all static
helpers used by them) and use the global context instead:

* cgit_get_cmd()
* All cgit command functions.
* cgit_clone_info()
* cgit_clone_objects()
* cgit_clone_head()
* cgit_print_plain()
* cgit_show_stats()

In initialization routines, use the global context variable instead of
passing a pointer around locally.

Remove callback data parameter for cache slots

This is no longer needed since the context is always read from the
global context variable.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-01-17 00:44:54 +01:00
Jason A. Donenfeld
a431326e8f auth: have cgit calculate login address
This way we're sure to use virtual root, or any other strangeness
encountered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 23:21:54 +01:00
Jason A. Donenfeld
b826537cb4 authentication: use hidden form instead of referer
This also gives us some CSRF protection. Note that we make use of the
hmac to protect the redirect value.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 12:13:39 +01:00
Jason A. Donenfeld
d6e9200cc3 auth: add basic authentication filter framework
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.

Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.

Very plugable and extendable depending on user needs.

The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-16 02:28:12 +01:00
Jason A. Donenfeld
a5e1553726 filter: add support for email filter
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 02:00:07 +01:00
Jason A. Donenfeld
e83b51b4f6 filter: basic write hooking infrastructure
Filters can now call hook_write and unhook_write if they want to
redirect writing to stdout to a different function. This saves us from
potential file descriptor pipes and other less efficient mechanisms.

We do this instead of replacing the call in html_raw because some places
stdlib's printf functions are used (ui-patch or within git itself),
which has its own internal buffering, which makes it difficult to
interlace our function calls. So, we dlsym libc's write and then
override it in the link stage.

While we're at it, we move considerations of argument count into the
generic new filter handler.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 02:00:07 +01:00
Jason A. Donenfeld
d750c7a2c9 filter: allow for cleanup hook for filter types
At some point, we're going to want to do lazy deallocation of filters.
For example, if we implement lua, we'll want to load the lua runtime
once for each filter, even if that filter is called many times.
Similarly, for persistent exec filters, we'll want to load it once,
despite many open_filter and close_filter calls, and only reap the child
process at the end of the cgit process. For this reason, we add here a
cleanup function that is called at the end of cgit's main().

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-14 02:00:07 +01:00
John Keeping
632efb25c0 filter: add fprintf_filter function
This stops the code in cgit.c::print_repo needing to inspect the
cgit_filter structure, meaning that we can abstract out different filter
types that will have different fields that need to be printed.

Signed-off-by: John Keeping <john@keeping.me.uk>
2014-01-14 02:00:07 +01:00
Jason A. Donenfeld
3eae406934 filter: split filter functions into their own file
A first step for more interesting things.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2014-01-10 17:45:43 +01:00
Lukas Fleischer
c96becc1e5 cgit.c: Fix comment on bit mask hack
* Formatting and spelling fixes.

* A bit mask with the size of one byte only allows for storing 8 (not
  255!) different flags.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-01-10 17:06:24 +01:00
Lukas Fleischer
441e748564 cgit.c: Use "else" for mutually exclusive branches
When parsing command line arguments, no pair of command line options can
ever match simultaneously. Use "else if" blocks to reflect this. This
change improves both readability and speed.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-01-10 17:05:34 +01:00
Lukas Fleischer
36bdb2171f Replace most uses of strncmp() with prefixcmp()
This is a preparation for replacing all prefix checks with either
strip_prefix() or starts_with() when Git 1.8.6 is released.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-01-10 17:01:29 +01:00
Lukas Fleischer
f7f26f8875 Update copyright information
* Name "cgit Development Team" as copyright holder to avoid listing
  every single developer.

* Update copyright ranges.

Signed-off-by: Lukas Fleischer <cgit@crytocrack.de>
2014-01-08 15:10:49 +01:00
Jason A. Donenfeld
00e3a3ecda cache: id means static, even if head is specified too
Pages like /commit?h=wip&id=8a335ce618ba77fbf05148d6f8be17bd48ba4340
were being marked as dynamic, because of h=wip, when it should be
static, because of id=.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-08-12 13:14:10 -06:00
Jason A. Donenfeld
61ff10065b cache: document negative ttls and add about ttl
We've long supported negative ttls, for infinite cache, except the
documentation incorrectly showed one of our defaults as being 5 and not
-1. As well, with a negative ttl, we were actually making the HTTP
expired header go backwards. This changes it to go ahead ten years
instead.

Further, we add an cache-about-ttl option to set a different ttl for
about pages, which are now increasingly being filtered through markdown
or just sent statically anyway.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-08-12 13:14:10 -06:00
Christian Hesse
830eb6f6ff use favicon by default 2013-08-12 12:44:44 -06:00
Jason A. Donenfeld
dcbc0438b2 readme: use string_list instead of space deliminations
Now this is possible in cgitrc -

readme=:README.md
readme=:readme.md
readme=:README.mkd
readme=:readme.mkd
readme=:README.rst
readme=:readme.rst
readme=:README.html
readme=:readme.html
readme=:README.htm
readme=:readme.htm
readme=:README.txt
readme=:readme.txt
readme=:README
readme=:readme
readme=:INSTALL.txt
readme=:install.txt
readme=:INSTALL
readme=:install

Suggested-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-26 16:30:03 +02:00
Jason A. Donenfeld
cd4c77d989 readme: Accept multiple candidates and test them.
The readme variable may now contain multiple space deliminated entries,
which per usual are either a filepath or a git ref filepath. If multiple
are specified, cgit will now select the first one in the list that
exists. This is to make it easier to specify multiple default readme
types in the main cgitrc file and have them automatically get applied to
each repo based on what exists.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-25 20:33:28 +02:00
Jason A. Donenfeld
c0dfaf1c28 ui-summary: Pass filename to about-filter
This gives the about-filter API the same semantics as source-filter,
where the filter receives the filename so it can decide what to do next
with it.

While we're at it, plug a memory leak.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-25 20:33:28 +02:00
Jason A. Donenfeld
03eb76dfad cgit.c: Do not reset HOME after unsetting it.
The number of odd cases in which git will try to read config is far too
great to keep putting a bandaid over each one, so we'll just unset it.

If it turns out that scripts really liked to know about $HOME, we can
always reset it in the filter forks.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-25 20:33:28 +02:00
Jason A. Donenfeld
5a4156ef95 cgit.c: sync repo config printing with struct cgit_repo
We've now added quite a few config keys for repositories, but we've
forgotten to update the printing of it for cache files. Synchronize the
two.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-05-25 14:07:10 +02:00
Jason A. Donenfeld
389cc17357 Add branch-sort and repo.branch-sort options.
When set to "name", branches are sorted by name, which is the current
default. When set to "age", branches are sorted by the age of the
repository.

This feature was requested by Konstantin Ryabitsev for use on
kernel.org.

Proposed-by: Konstantin Ryabitsev <mricon@kernel.org>
2013-04-10 14:48:26 +02:00
Lukas Fleischer
8d8e84e72a cgit.c: Do not restore unset environment variables
getenv() returns a NULL pointer if the specified variable name cannot be
found in the environment. However, some setenv() implementations crash
if a NULL pointer is passed as second argument. Only restore variables
that are not NULL.

See commit d96d2c98eb for a related patch.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2013-04-10 13:46:30 +02:00
Jason A. Donenfeld
8a92df033e Do not load user or system gitconfig and gitattributes
While doing any kind of git loading, unset HOME variables and set
NOSYSTEM variables so that cgit does not load any settings that a user
may have set for his own /usr/bin/git usage.

This fixes a fatal error introduced with git 1.8, whereupon git would
fatally exit when failing to access particular files.

The result of this is that only repo-local configuration files are
accessed:

zx2c4@thinkpad ~/Projects/cgit $ HOME=/root QUERY_STRING="url=foo/log"
CGIT_CONFIG=tests/trash/cgitrc strace -e access ./cgit >/dev/null
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
access("repos/foo/.git/objects", X_OK) = 0
access("repos/foo/.git/refs", X_OK) = 0
access("repos/foo/.git/config", R_OK) = 0
access("repos/foo/.git/config", R_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0
+++ exited with 0 +++

Reported-by: Ferry Huberts <ferry.huberts@pelagic.nl>
Tested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Tested-by: Ferry Huberts <ferry.huberts@pelagic.nl>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-04-08 21:43:26 +02:00
John Keeping
fb3655df3b use struct strbuf instead of static buffers
Use "struct strbuf" from Git to remove the limit on file path length.

Notes on scan-tree:
This is slightly involved since I decided to pass the strbuf into
add_repo() and modify if whenever a new file name is required, which
should avoid any extra allocations within that function.  The pattern
there is to append the filename, use it and then reset the buffer to its
original length (retaining a trailing '/').

Notes on ui-snapshot:
Since write_archive modifies the argv array passed to it we
copy the argv_array values into a new array of char* and then free the
original argv_array structure and the new array without worrying about
what the values now look like.

Signed-off-by: John Keeping <john@keeping.me.uk>
2013-04-08 16:12:52 +02:00
John Keeping
ed5bd30ebe Convert cgit_print_error to a variadic function
This removes many uses of "fmt" which uses a fixed size static pool of
fixed size buffers.  Instead of relying on these, we now pass around
argument lists for as long as possible before using a strbuf to render
content of an arbitrary size.

Signed-off-by: John Keeping <john@keeping.me.uk>
2013-04-08 16:11:29 +02:00
John Keeping
b1f17f168b Fix out-of-bounds memory accesses with virtual_root=""
The CGit configuration variable virtual_root is normalized so that it
does not have a trailing '/' character, but it is allowed to be empty
(the empty string and NULL have different meanings here) and there is
code that is insufficiently cautious when checking if it ends in a '/':

	if (virtual_root[strlen(virtual_root) - 1] != '/')

Clearly this check is redundant, but rather than simply removing it we
get a slight efficiency improvement by switching the normalization so
that the virtual_root variable always ends in '/'.  Do this with a new
"ensure_end" helper.

Signed-off-by: John Keeping <john@keeping.me.uk>
2013-04-08 15:59:46 +02:00