With sha1 we had a guaranteed length of 40 hex chars. This changes now
that we have to support sha256 with 64 hex chars... Support both.
Signed-off-by: Christian Hesse <mail@eworm.de>
This makes the markdown filter generate anchor links for headings.
Signed-off-by: Christian Hesse <mail@eworm.de>
Tested-by: jean-christophe manciot <actionmystique@gmail.com>
There's no use in giving a silly example to folks who will just copy it,
so instead try to do something slightly better.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our
luck; SHA256 is more sensible anyway.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Place file contents into a single block so that syntax highlighting can
be applied in the usual fashion. Place the alternating color bars
behind the file contents. Force the default syntax highlighting
background to transparent.
Signed-off-by: Jeff Smith <whydoubt@gmail.com>
Reviewed-by: John Keeping <john@keeping.me.uk>
Otherwise we get the classic Python UTF-8 errors, and the text is all
out of order. While we're at it, switch to python3 so we only have to
support one set of oddball semantics.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Suggested-by: Daniel Campbell <dlcampbell@gmx.com>
Serving cgit via https and getting avatar via http gives error messages
about untrusted content. This decides whether or not to use https link
by looking at the environment variable HTTPS, which is set in CGI.
This also gives us some CSRF protection. Note that we make use of the
hmac to protect the redirect value.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.
Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.
Very plugable and extendable depending on user needs.
The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Filters can now indicate a status back to cgit by means of the exit code
for exec, or the return value from close for Lua.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Since the email filter is called from lots of places, the script might
benefit from knowing the origin. That way it can modify its contents
and/or size depending.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Switched back to python2 according to a problem in pygments with python3.
With the next release of pygments this problem should be fixed.
Issue see here:
https://bitbucket.org/birkenfeld/pygments-main/issue/901/problems-with-python3
- Just read the stdin, decode it to utf-8 and ignore unknown signs. This ensures
that even destroyed files do not cause any errors in the filter.
- Improved language guessing:
-> At first use guess_lexer_for_filename for a better detection of the used
programming languages (even mixed cases will be detected, e.g. php + html).
-> If nothing was found look if there is a shebang and use guess_lexer.
-> As default/fallback choose TextLexer.
Signed-off-by: Stefan Tatschner <stefan@sevenbyte.org>
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.
This patch adds simple argument quoting.