Commit Graph

1626 Commits

Author SHA1 Message Date
Christian Hesse
edb3403f00 ui-patch: ban sprintf()
Git upstream bans sprintf() with commit:

  banned.h: mark sprintf() as banned
  cc8fdaee1eeaf05d8dd55ff11f111b815f673c58

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
7f75647b55 ui-log: ban strncpy()
Git upstream bans strncpy() with commit:

  banned.h: mark strncpy() as banned
  e488b7aba743d23b830d239dcc33d9ca0745a9ad

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
71ba7187e5 ui-log: ban strcpy()
Git upstream bans strcpy() with commit:

  automatically ban strcpy()
  c8af66ab8ad7cd78557f0f9f5ef6a52fd46ee6dd

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
60a930044d parsing: ban sprintf()
Git upstream bans sprintf() with commit:

  banned.h: mark sprintf() as banned
  cc8fdaee1eeaf05d8dd55ff11f111b815f673c58

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
7cde5885d8 parsing: ban strncpy()
Git upstream bans strncpy() with commit:

  banned.h: mark strncpy() as banned
  e488b7aba743d23b830d239dcc33d9ca0745a9ad

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
b0fc647fe6 filters: generate anchor links from markdown
This makes the markdown filter generate anchor links for headings.

Signed-off-by: Christian Hesse <mail@eworm.de>
Tested-by: jean-christophe manciot <actionmystique@gmail.com>
2018-08-28 14:37:19 +02:00
Jason A. Donenfeld
824138e591 Bump version.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-03 17:04:03 +02:00
Jason A. Donenfeld
53efaf30b5 clone: fix directory traversal
This was introduced in the initial version of this code, way back when
in 2008.

$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root0:0:root:/root:/bin/sh
...

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>
2018-08-03 17:04:03 +02:00
Konstantin Ryabitsev
c679d90104 config: record repo.snapshot-prefix in the per-repo config
Even if we find snapshot-prefix in the repo configuration, we are not
writing it out into the rc- file, so setting the value does not have any
effect.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
2018-08-03 16:12:21 +02:00
Jason A. Donenfeld
77b6f83344 auth-filters: add simple file-based authentication scheme
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-03 16:12:21 +02:00
Jason A. Donenfeld
82856923bf auth-filters: use crypt() in simple-authentication
There's no use in giving a silly example to folks who will just copy it,
so instead try to do something slightly better.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-15 04:18:03 +02:00
Jason A. Donenfeld
b73df8098f auth-filters: generate secret securely
This is much better than having the user generate it themselves.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-15 03:30:57 +02:00
Jason A. Donenfeld
c4d23d02ec auth-filters: do not crash on nil username
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-14 05:10:28 +02:00
Jason A. Donenfeld
93a2c33051 auth-filter: do not write more than we've read
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-14 05:09:27 +02:00
Jason A. Donenfeld
c3b5b5f648 auth-filters: do not use HMAC-SHA1
Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our
luck; SHA256 is more sensible anyway.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-14 03:33:56 +02:00
Jason A. Donenfeld
c132ef2462 Bump version.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-13 22:40:42 +02:00
Todd Zullinger
5dec7f4a91 Update COPYING
The address of the Free Software Foundation has changed since the
license was added in 7640d90 ("Add license file and copyright notices",
2006-12-10).  Update the license file from gnu.org¹.

The only non-whitespace changes are the updated FSF address and two
references to the L in LGPL changed from Library to Lesser.

¹ https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

Signed-off-by: Todd Zullinger <tmz@pobox.com>
2018-07-10 16:40:15 +02:00
Jason A. Donenfeld
089b29a7e1 css: use correct size in annotated decoration
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-08 19:14:51 +02:00
Jason A. Donenfeld
22583c4992 cgitrc.5: add local tar signature example
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-05 02:40:48 +02:00
Jason A. Donenfeld
08a2b1b8f8 Fix gcc 8.1.1 compiler warnings
CC ../shared.o
../shared.c: In function ‘expand_macro’:
../shared.c:487:3: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=]
   strncpy(name, value, len);
   ^~~~~~~~~~~~~~~~~~~~~~~~~
../shared.c:484:9: note: length computed here
   len = strlen(value);
         ^~~~~~~~~~~~~
../ui-shared.c: In function ‘cgit_repobasename’:
../ui-shared.c:136:2: warning: ‘strncpy’ specified bound 1024 equals destination size [-Wstringop-truncation]
  strncpy(rvbuf, reponame, sizeof(rvbuf));
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    CC ../ui-ssdiff.o
../ui-ssdiff.c: In function ‘replace_tabs’:
../ui-ssdiff.c:142:4: warning: ‘strncat’ output truncated copying between 1 and 8 bytes from a string of length 8 [-Wstringop-truncation]
    strncat(result, spaces, 8 - (strlen(result) % 8));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-04 03:13:41 +02:00
Jason A. Donenfeld
c4167cbd65 cgitrc.5: document new signature notes
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-03 20:44:25 +02:00
Christian Hesse
7ba41963dd snapshot: support tar signature for compressed tar
This adds support for kernel.org style signatures where the uncompressed
tar archive is signed and compressed later. The signature is valid for
all tar* snapshots.

We have a filter which snapshots may be generated and downloaded. This has
to allow tar signatures now even if tar itself is not allowed. To simplify
things we allow all signatures.

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-07-03 20:37:44 +02:00
Jason A. Donenfeld
b522a302c9 extra-head-content: introduce another option for meta tags
This is to support things like go-import meta tags, which are on a
per-repo basis.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-03 20:37:00 +02:00
John Keeping
c4fbb99cee Use string list strdup_strings for mimetypes
There's no need to do this manually with the string list API will do it
for us.

Signed-off-by: John Keeping <john@keeping.me.uk>
2018-06-27 19:28:16 +02:00
Andy Green
9086260329 manpage: fix sorting order
You maybe didn't know you had OCD until you saw an
alpha sorted list that has stuff out of order in it.

Signed-off-by: Andy Green <andy@warmcat.com>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-06-27 19:27:43 +02:00
John Keeping
b31e99887b cache: close race window when unlocking slots
We use POSIX advisory record locks to control access to cache slots, but
these have an unhelpful behaviour in that they are released when any
file descriptor referencing the file is closed by this process.

Mostly this is okay, since we know we won't be opening the lock file
anywhere else, but there is one place that it does matter: when we
restore stdout we dup2() over a file descriptor referring to the file,
thus closing that descriptor.

Since we restore stdout before unlocking the slot, this creates a window
during which the slot content can be overwritten.  The fix is reasonably
straightforward: simply restore stdout after unlocking the slot, but the
diff is a bit bigger because this requires us to move the temporary
stdout FD into struct cache_slot.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:13:03 +02:00
Christian Hesse
255b78ff52 git: update to v2.18.0
Update to git version v2.18.0. Required changes follow upstream commits:

* Convert find_unique_abbrev* to struct object_id
  (aab9583f7b5ea5463eb3f653a0b4ecac7539dc94)
* sha1_file: convert read_sha1_file to struct object_id
  (b4f5aca40e6f77cbabcbf4ff003c3cf30a1830c8)
* sha1_file: convert sha1_object_info* to object_id
  (abef9020e3df87c441c9a3a95f592fce5fa49bb9)
* object-store: move packed_git and packed_git_mru to object store
  (a80d72db2a73174b3f22142eb2014b33696fd795)
* treewide: rename tree to maybe_tree
  (891435d55da80ca3654b19834481205be6bdfe33)

The changed data types required some of our own functions to be converted
to struct object_id:

  ls_item
  print_dir
  print_dir_entry
  print_object
  single_tree_cb
  walk_tree
  write_tree_link

And finally we use new upstream functions that were added for
struct object_id:

  hashcpy     -> oidcpy
  sha1_to_hex -> oid_to_hex

Signed-off-by: Christian Hesse <mail@eworm.de>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-06-27 18:13:03 +02:00
Christian Hesse
54d37dc154 global: remove functionality we deprecated for cgit v1.0
The man page states these were deprecated for v1.0. We are past v1.1,
so remove the functionality.

Signed-off-by: Christian Hesse <mail@eworm.de>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-06-27 18:13:03 +02:00
Christian Hesse
2f8648ff7f snapshot: strip bit from struct cgit_snapshot_format
We had a static bit value in struct cgit_snapshot_format. We do not rely
on it and things can be calculated on the fly. So strip it.

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:13:00 +02:00
Christian Hesse
30a378b571 snapshot: support special value 'all' to enable all formats
Signed-off-by: Christian Hesse <mail@eworm.de>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-06-27 18:11:19 +02:00
John Keeping
c712d5ac43 snapshot: support archive signatures
Read signatures from the notes refs refs/notes/signatures/$FORMAT where
FORMAT is one of our archive formats ("tar", "tar.gz", ...).  The note
is expected to simply contain the signature content to be returned when
the snapshot "${filename}.asc" is requested, so the signature for
cgit-1.1.tar.xz can be stored against the v1.1 tag with:

	git notes --ref=refs/notes/signatures/tar.xz add -C "$(
		gpg --output - --armor --detach-sign cgit-1.1.tar.xz |
		git hash-object -w --stdin
	)" v1.1

and then downloaded by simply appending ".asc" to the archive URL.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
71d14d9c98 ui-refs: use shared function to print tag downloads
cgit_compose_snapshot_prefix() is identical to print_tag_downloads(), so
remove the latter and use the function from ui-shared.c instead.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
e491eaa5df ui-shared: pass separator in to cgit_print_snapshot_links()
cgit_print_snapshot_links() is almost identical to
print_tag_downloads(), so let's extract the difference to a parameter in
preparation for removing print_tag_downloads() in the next commit.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
5b1f42ffee ui-shared: use the same snapshot logic as ui-refs
Make snapshot links in the commit UI use the same prefix algorithm as
those in the summary UI, so that refs starting with the snapshot prefix
are used as-is rather than composed with the prefix repeated.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
82aadcfc51 ui-shared: rename parameter to cgit_print_snapshot_links()
This is expected to be a ref not a hex object ID, so name it more
appropriately.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
63da41a915 ui-shared: remove unused parameter
The "head" parameter to cgit_print_snapshot_links() is never used, so
remove it.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
f0047d2d94 ui-refs: remove unnecessary sanity check
There is no way for refinfo::refname to be null, and Git will prevent
zero-length refs so this check is unnecessary.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
00ad47bbfa ui-snapshot: filter permitted snapshot requests
Currently the snapshots configuration option only filters which links
are displayed, not which snapshots may be generated and downloaded.
Apply the filter also to requests to ensure that the system policy is
enforced.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
c1572bb5ec Add "snapshot-prefix" repo configuration
Allow using a user-specified value for the prefix in snapshot files
instead of the repository basename.  For example, files downloaded from
the linux-stable.git repository should be named linux-$VERSION and not
linux-stable-$VERSION, which can be achieved by setting:

	repo.snapshot-prefix=linux

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
d85e8a9810 ui-snapshot: pass repo into get_ref_from_filename()
Prepare to allow a custom snapshot prefix.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
John Keeping
bd1b281478 ui-shared: pass repo object to print_snapshot_links()
Both call sites of cgit_print_snapshot_links() use the same values for
the snapshot mask and repository name, which are derived from the
cgit_repo structure so let's pass in the structure and access the fields
directly.

Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:11:19 +02:00
Christian Hesse
0bb34ef130 ui-log: highlight annotated tags in different color
Annotated tags have some extra information... Descriptive text or signature.
Highlighting annotated tags in a different color show what tag may be worth
clicking for extra information.

Signed-off-by: Christian Hesse <mail@eworm.de>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-06-27 18:01:29 +02:00
Christian Hesse
e65ea965a0 print git version string in footer
This helps tracking what git version cgit uses. The security implications are
low as anybody can look up the version of our submodule anyway. The paranoid
can use a custom footer. :-p

On the other hand this brings potential security issues to the
administrators eyes...

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:01:29 +02:00
Christian Hesse
fb804a3537 git: update to v2.17.1
Update to git version v2.17.1. Required changes:

* The function 'typename' has been renamed to 'type_name'
  (upstream commit debca9d2fe784193dc2d9f98b5edac605ddfefbb)

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-06-27 18:01:29 +02:00
Andy Green
b759189574 ui-blame: free read_sha1_file() buffer after use
Signed-off-by: Andy Green <andy@warmcat.com>
Signed-off-by: John Keeping <john@keeping.me.uk>
2018-06-19 22:45:09 +01:00
Jon DeVree
26610aff34 ui-tag: Fix inconsistent capitalization
Way back in 2009 all of these were lower cased except this one
occurrence.

Signed-off-by: Jon DeVree <nuxi@vault24.org>
Signed-off-by: John Keeping <john@keeping.me.uk>
2018-06-16 17:42:32 +01:00
Andy Green
7708859c4d ui-tree: free read_sha1_file() buffer after use
Free up the buffer allocated in read_sha1_file()

Signed-off-by: Andy Green <andy@warmcat.com>
Signed-off-by: John Keeping <john@keeping.me.uk>
2018-06-16 15:20:11 +01:00
John Keeping
48f175083a Makefile: drive asciidoc directly for HTML output
This is mostly taken from Git's doc/Makefile, although simplified for
our use.  The output now uses Asciidoc's default CSS which I think looks
a bit nicer than the Docbook formatting; as a result of this we no
longer need our custom .css file.

A side effect of this change is that temporary files generated from the
HTML output no longer conflict with the manpage output format (because
any temporary HTML output files use names derived from the output
filename which includes .html).

Signed-off-by: John Keeping <john@keeping.me.uk>
2018-06-16 14:06:03 +01:00
Todd Zullinger
33414d7869 doc: use consistent id's when generating html files
The html documentation is generated using a2x which calls docbook tools
to do the work.  The generate.consistent.ids parameter ensures that when
the docbook stylesheet assigns an id value to an output element it is
consistent as long as the document structure has not changed.

Having consistent html files reduces frivolous changes between builds.
Distributions can more easily deploy multiple architecture builds and
compare changes between package versions.  End-users avoid needless
changes in files deployed or backed up.

The generate.consistent.ids parameter was added in docbook-xsl-1.77.0.
Older versions gracefully ignore the parameter, so we can pass the
parameter unconditionally.  Most distributions contain docbook-xsl newer
than 1.77.0.  This includes Fedora, Debian, Ubuntu, and RHEL/CentOS 7.
RHEL/CentOS 6 and Debian Wheezy (old stable) ship with an older version,
unsurprisingly.

Signed-off-by: Todd Zullinger <tmz@pobox.com>
2018-02-21 03:12:57 +01:00
Jason A. Donenfeld
03f6e34bb9 cgit: prepare repo before error pages
This fixes a crash when showing a list of all heads in the <select> box
in the header.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-12 23:25:29 +01:00