aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* CGIT-0.9.2v0.9.2Jason A. Donenfeld2013-05-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Features: - update to git v1.8.3. - expanded set of default filters to include markdown, restructuredtext, and man pages. - better sample configuration file in man page. - "readme" may now be specified multiple times, and cgit will choose the first one it finds. - "readme" no longer needs a branch name. If prefixed with simply ":" it will use the default branch. - "branch-sort" allowing branches to be sorted either by "age" or "name", for kernel.org. - "enable-index-owner" allowing the owner column to be disabled in the index page. - print submodule revision next to submodule link. - integrate more closely with git apis, such as strbuf. - rely on git test harness and git makefiles. - more robust test suite. - more rebust makefile dependency accounting. - pager navigation is now unordered list. - span tag wraps commit directions. Behavior changes: - HOME is no longer passed as an environment variable to any filter api scripts. - "about-filter" now receives the filename being filtered as argv[1]. This may disrupt existing scripts, so adjust accordingly. - gitconfig and gitattributes are no longer loaded from any system directories or home directories. Security: - CVE-2013-2117: disallow directory traversal when readme is set to filesystem path. Bug fixes: - ssdiff now correctly manages tab expansion. - support unannotated tags in http git clone. - lots of cleanups of global variables and memory leaks. - do not rely on gettext/libintl. - better C standard compliance. - make several functions and variables static. - improved constification. - remove unused functions. - fix colspan values to correct width. - fix out-of-bounds memory accesses with virtual_root="". - cache repo config more precisely. - die when write fails. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* README: add trailing slash to homepageJason A. Donenfeld2013-05-271-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* cgitrc.5: improve example configJason A. Donenfeld2013-05-271-0/+53
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* filters: import more modern scriptsJason A. Donenfeld2013-05-2710-15/+1815
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* readme: use string_list instead of space deliminationsJason A. Donenfeld2013-05-2610-122/+160
| | | | | | | | | | | | | | | | | | | | | | | | | | Now this is possible in cgitrc - readme=:README.md readme=:readme.md readme=:README.mkd readme=:readme.mkd readme=:README.rst readme=:readme.rst readme=:README.html readme=:readme.html readme=:README.htm readme=:readme.htm readme=:README.txt readme=:readme.txt readme=:README readme=:readme readme=:INSTALL.txt readme=:install.txt readme=:INSTALL readme=:install Suggested-by: John Keeping <john@keeping.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ui-summary: Disallow directory traversalJason A. Donenfeld2013-05-251-0/+16
| | | | | | | | | | | | | | | | | | | | | Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* cgitrc.5: information on directory traversal and multiple readme filesJason A. Donenfeld2013-05-251-6/+11
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* readme: Accept multiple candidates and test them.Jason A. Donenfeld2013-05-255-31/+95
| | | | | | | | | | | The readme variable may now contain multiple space deliminated entries, which per usual are either a filepath or a git ref filepath. If multiple are specified, cgit will now select the first one in the list that exists. This is to make it easier to specify multiple default readme types in the main cgitrc file and have them automatically get applied to each repo based on what exists. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ui-summary: Pass filename to about-filterJason A. Donenfeld2013-05-254-8/+22
| | | | | | | | | | This gives the about-filter API the same semantics as source-filter, where the filter receives the filename so it can decide what to do next with it. While we're at it, plug a memory leak. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ui-summary: Use default branch for readme if : prefixJason A. Donenfeld2013-05-252-2/+9
| | | | | | | If the readme value begins with ":", and has no specified branch before it, use the repository's default branch. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* cgit.c: Do not reset HOME after unsetting it.Jason A. Donenfeld2013-05-252-22/+0
| | | | | | | | | | The number of odd cases in which git will try to read config is far too great to keep putting a bandaid over each one, so we'll just unset it. If it turns out that scripts really liked to know about $HOME, we can always reset it in the filter forks. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* cgit.c: sync repo config printing with struct cgit_repoJason A. Donenfeld2013-05-251-0/+14
| | | | | | | | We've now added quite a few config keys for repositories, but we've forgotten to update the printing of it for cache files. Synchronize the two. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* git: update to 1.8.3John Keeping2013-05-252-1/+1
| | | | | | No changes required, just bump the submodule and Makefile versions. Signed-off-by: John Keeping <john@keeping.me.uk>
* cache.c: cache ls_cache output properlyJohn Keeping2013-05-222-7/+14
| | | | | | | | | By using the standard library's printf, cache_ls does not redirect its output to the cache when we change the process' stdout file descriptor to point to the cache file. Fix this by using "htmlf" in the same way that we do for writing HTTP headers. Signed-off-by: John Keeping <john@keeping.me.uk>
* tests: introduce strip_header() helper functionJohn Keeping2013-05-222-2/+10
| | | | | | | | This means that we can avoid hardcoding the number of headers we expect CGit to generate in test cases and simply remove whatever headers happen to by there when we are checking body content. Signed-off-by: John Keeping <john@keeping.me.uk>
* shared.c: use die_errno() where appropriateJohn Keeping2013-05-221-5/+4
| | | | | | | This replaces some code that is re-implementing die_errno by just calling the function. Signed-off-by: John Keeping <john@keeping.me.uk>
* html.c: die when write failsJohn Keeping2013-05-221-1/+1
| | | | | | | | If we fail to write HTML output once, there's no point carrying on so just write a failure message once and die. By using Git's die_errno function we also let the user know in what way the write failed. Signed-off-by: John Keeping <john@keeping.me.uk>
* ui-log: add <span/> around commit decorationsJohn Keeping2013-05-221-0/+2
| | | | | | | | | | | | This helps projects that have a large number of tags to display them all using custom CSS. The default stylesheet has not been updated since what is useful for projects with a lot of tags is not the same as what is useful for projects with only a small number of decorations per commit. Suggested-by: Konstantin Ryabitsev <mricon@kernel.org> Signed-off-by: John Keeping <john@keeping.me.uk>
* Makefile: fix parallel "make test"John Keeping2013-05-221-5/+3
| | | | | | | | | | | | | When building the "test" target we depend on both cgit and building the Git tools. By doing this with two targets we end up running make in the git/ directory twice, concurrently if using parallel make, which causes us to build more than we need and potentially builds incorrectly if multi-step build-then-move operations overlap. Fix this by instead calling back into the makefile so that we alter the "cgit" target to also build the Git tools. Signed-off-by: John Keeping <john@keeping.me.uk>
* cache.c: fix cache_lsJohn Keeping2013-05-181-4/+10
| | | | | | | | | | | Commit fb3655d (use struct strbuf instead of static buffers, 2013-04-06) broke the logic in cache.c::cache_ls by failing to set slot->cache_name before calling open_slot. While fixing this, also free the strbufs added by that commit once we're done with them. Signed-off-by: John Keeping <john@keeping.me.uk>
* t0109: "function" is a bash-ismJohn Keeping2013-05-131-1/+1
| | | | | | | | | We try to stick to POSIX shell in the tests but a "function" keyword has found its way into t0109. Remove it. This makes the tests work with dash again. Signed-off-by: John Keeping <john@keeping.me.uk>
* New mailing list.Jason A. Donenfeld2013-05-131-2/+3
|
* ui-snapshot: do not access $HOMEJason A. Donenfeld2013-04-302-0/+10
| | | | | | | | | | | | It's a bit tedious to have to do this here too. If we encounter other issues with $HOME down the line, I'll look into adding some nice utility functions to handle this, or perhaps giving up on the hope that we could keep $HOME defined for scripts. This commit additionally adds a test case, should the issue surface again. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* t0001: validate Git -rcN version numbers correctlyJohn Keeping2013-04-271-1/+6
| | | | | | | | | | | | | | | When creating the GIT-VERSION-FILE that we use to test that the version of Git in git/ is the same as in the CGit Makefile, Git applies the transform "s/-/./g" to the version string. This doesn't affect released versions but does change RC version numbers such as 1.8.3-rc0. While CGit should only refer to a released Git version in general, it is useful to developers who want to test upcoming Git releases if the tests do work with RCs, so change t0001 to apply the same transform to our Makefile version before comparing it to the contents of GIT-VERSION-FILE. Signed-off-by: John Keeping <john@keeping.me.uk>
* git: update to 1.8.2.2John Keeping2013-04-272-1/+1
| | | | | | No changes required, just bump the submodule and Makefile version. Signed-off-by: John Keeping <john@keeping.me.uk>
* scan-tree: fix regression in section-from-path=-1John Keeping2013-04-171-0/+2
| | | | | | | | | | | | | Commit fb3655d (use struct strbuf instead of static buffers - 2013-04-06) introduced a regression in the "section-from-path" handling when the configured value is negative. By changing the "rel" variable so that it includes a trailing slash, counting slashes from the end of the string no longer gives the same answer as it did before. Fix this by ensuring that "rel" does not have a trailing slash. Reported-by: Julius Plenz <plenz@cis.fu-berlin.de> Signed-off-by: John Keeping <john@keeping.me.uk>
* t0001: ignore ".dirty" suffix on Git versionJohn Keeping2013-04-151-1/+1
| | | | | | | | | | | | | | When testing modifications in Git that affect CGit, it is annoying to have t0001 failing simply because the Git version has a ".dirty" suffix when the version of Git there does indeed match that specified in the CGit makefile. Stop this by stripping the ".dirty" suffix from the GIT_VERSION variable. Note that this brings the "Git version" behaviour in line with the "submodule version" case which does not check if the working tree in git/ is modified. Signed-off-by: John Keeping <john@keeping.me.uk>
* tests: set TEST_OUTPUT_DIRECTORY to the CGit test directoryJohn Keeping2013-04-151-0/+1
| | | | | | | | | | | | | | | By default, Git's test suite puts the trash directories and test-results directory into its own directory, not that containing the tests being run. This is less convenient for inspecting test failures, so set the output directory to CGit's tests/ directory instead. Note that there is currently a bug in Git whereby it will create the trash directories in our tests/ directory regardless of the value of TEST_OUTPUT_DIRECTORY, and then fail to remove them once the tests are done. This change does currently affect the location of the test-results/ directory though. Signed-off-by: John Keeping <john@keeping.me.uk>
* t0109: test more URLsJohn Keeping2013-04-151-4/+20
| | | | | | | | | | | In order to ensure that we don't access $HOME at some point after initial startup when rendering a specific view, run the strace test on a range of different pages. This ensures that we don't end up reading a configuration later for some specific view. Signed-off-by: John Keeping <john@keeping.me.uk>
* cgitrc.5.txt: Specify when scan-path must be defined before.Jason A. Donenfeld2013-04-101-9/+11
| | | | | | | | Several options must be specified prior to scan-path. This is consistant source of user confusion. Document these facts. Suggested-by: Lukas Fleischer <cgit@cryptocrack.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ui-snapshot.c: Prepend "V" when guessing ref namesLukas Fleischer2013-04-101-2/+6
| | | | | | | | | In cgit_print_snapshot_links() we strip leading "v" and "V", while we currently only prepend a lower case "v" when parsing a snapshot file name. This results in broken snapshot links for tags that start with an upper case "V". Avoid this by prepending a "V" as a fallback. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
* t0107: Skip ZIP tests if unzip(1) isn't availableLukas Fleischer2013-04-101-4/+10
| | | | | | | | Note that we cannot use skip_all here since some tests have already been executed when ZIP tests are reached. Use test prerequisites to skip everything using unzip(1) if the binary is not available instead. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
* tests/: Do not use `sed -i`Lukas Fleischer2013-04-102-5/+8
| | | | | | | "-i" isn't part of the POSIX standard and doesn't work on several platforms such as OpenBSD. Use a temporary file instead. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
* Add branch-sort and repo.branch-sort options.Jason A. Donenfeld2013-04-105-22/+46
| | | | | | | | | | | When set to "name", branches are sorted by name, which is the current default. When set to "age", branches are sorted by the age of the repository. This feature was requested by Konstantin Ryabitsev for use on kernel.org. Proposed-by: Konstantin Ryabitsev <mricon@kernel.org>
* t0109: chain operations with &&John Keeping2013-04-101-1/+1
| | | | | | | | Without '&&' between operations, we will not detect if strace or cgit exit with an error status, which would cause a false positive test status in this case. Signed-off-by: John Keeping <john@keeping.me.uk>
* cgit.c: Do not restore unset environment variablesLukas Fleischer2013-04-101-2/+4
| | | | | | | | | | | getenv() returns a NULL pointer if the specified variable name cannot be found in the environment. However, some setenv() implementations crash if a NULL pointer is passed as second argument. Only restore variables that are not NULL. See commit d96d2c98ebc4c2d3765f5b35c4142e0e828a421b for a related patch. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
* t0107: Use `tar -z` for gzip'ed archivesLukas Fleischer2013-04-091-1/+1
| | | | | | | Some tar(1) versions do not support auto detection of the compression type. Explicitly specify "-z" to decompress a ".tar.gz" archive. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
* tests: Make sure that git does not access $HOMEJason A. Donenfeld2013-04-081-0/+25
| | | | | | | | | | | With the latest changes to prevent git from accessing configuration files that it should not, it's important to be sure that we won't have further breakage in the future. Use strace to implement a test to make sure cgit does not access() anything built from $HOME. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tests/.gitignore: update for using Git's test infrastructureJohn Keeping2013-04-082-3/+3
| | | | Signed-off-by: John Keeping <john@keeping.me.uk>
* tests: use Git's test frameworkJohn Keeping2013-04-0813-291/+239
| | | | | | | | | | | | This allows tests to run in parallel as well as letting us use "prove" or another TAP harness to run the tests. Git's test framework requires Git to be fully built before letting any tests run, so add a new target to the top-level Makefile which builds all of Git instead of just libgit.a and make the "test" target depend on that. Signed-off-by: John Keeping <john@keeping.me.uk>
* Do not load user or system gitconfig and gitattributesJason A. Donenfeld2013-04-083-2/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While doing any kind of git loading, unset HOME variables and set NOSYSTEM variables so that cgit does not load any settings that a user may have set for his own /usr/bin/git usage. This fixes a fatal error introduced with git 1.8, whereupon git would fatally exit when failing to access particular files. The result of this is that only repo-local configuration files are accessed: zx2c4@thinkpad ~/Projects/cgit $ HOME=/root QUERY_STRING="url=foo/log" CGIT_CONFIG=tests/trash/cgitrc strace -e access ./cgit >/dev/null access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) access("repos/foo/.git/objects", X_OK) = 0 access("repos/foo/.git/refs", X_OK) = 0 access("repos/foo/.git/config", R_OK) = 0 access("repos/foo/.git/config", R_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 access("repos/foo/.git/objects/b3/bafdbf0183f4897ef8b1319cb8c490ed54717e", F_OK) = 0 +++ exited with 0 +++ Reported-by: Ferry Huberts <ferry.huberts@pelagic.nl> Tested-by: Jason A. Donenfeld <Jason@zx2c4.com> Tested-by: Ferry Huberts <ferry.huberts@pelagic.nl> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* use struct strbuf instead of static buffersJohn Keeping2013-04-0812-243/+305
| | | | | | | | | | | | | | | | | | | Use "struct strbuf" from Git to remove the limit on file path length. Notes on scan-tree: This is slightly involved since I decided to pass the strbuf into add_repo() and modify if whenever a new file name is required, which should avoid any extra allocations within that function. The pattern there is to append the filename, use it and then reset the buffer to its original length (retaining a trailing '/'). Notes on ui-snapshot: Since write_archive modifies the argv array passed to it we copy the argv_array values into a new array of char* and then free the original argv_array structure and the new array without worrying about what the values now look like. Signed-off-by: John Keeping <john@keeping.me.uk>
* Remove redundant calls to fmt("%s", ...)John Keeping2013-04-082-3/+3
| | | | | | | | After this change there is one remaining call 'fmt("%s", delim)' in ui-shared.c but is needed as delim is stack allocated and so cannot be returned from the function. Signed-off-by: John Keeping <john@keeping.me.uk>
* Convert cgit_print_error to a variadic functionJohn Keeping2013-04-0811-45/+57
| | | | | | | | | This removes many uses of "fmt" which uses a fixed size static pool of fixed size buffers. Instead of relying on these, we now pass around argument lists for as long as possible before using a strbuf to render content of an arbitrary size. Signed-off-by: John Keeping <john@keeping.me.uk>
* shared.c: add strbuf_ensure_endJohn Keeping2013-04-082-0/+8
| | | | | | | This is a small helper so that we can easily ensure that a strbuf ends with the specified character. Signed-off-by: John Keeping <john@keeping.me.uk>
* html.c: add various strbuf and varadic helpersJohn Keeping2013-04-083-4/+63
| | | | | | | | | | This adds the fmtalloc helper, html_txtf, html_vtxtf, and html_attrf. These takes a printf style format string like htmlf but escapes the resulting string. The html_vtxtf variant takes a va_list whereas html_txtf is variadic. Signed-off-by: John Keeping <john@keeping.me.uk>
* Mark char* fields in struct cgit_page as constJohn Keeping2013-04-082-7/+8
| | | | Signed-off-by: John Keeping <john@keeping.me.uk>
* Fix out-of-bounds memory accesses with virtual_root=""John Keeping2013-04-084-18/+25
| | | | | | | | | | | | | | | | The CGit configuration variable virtual_root is normalized so that it does not have a trailing '/' character, but it is allowed to be empty (the empty string and NULL have different meanings here) and there is code that is insufficiently cautious when checking if it ends in a '/': if (virtual_root[strlen(virtual_root) - 1] != '/') Clearly this check is redundant, but rather than simply removing it we get a slight efficiency improvement by switching the normalization so that the virtual_root variable always ends in '/'. Do this with a new "ensure_end" helper. Signed-off-by: John Keeping <john@keeping.me.uk>
* ui-refs.c: Refactor print_tag()Lukas Fleischer2013-04-081-29/+27
| | | | | | | | The code snippets for OBJ_TAG and other object types are almost equivalent. Merge them and use a couple of inline if conditions to select proper fields. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
* ui-refs.c: Remove global header variableLukas Fleischer2013-04-081-6/+0
| | | | | | | | | | | | print_tag_header() is only called from cgit_print_tags() -- the conditional invocation in print_tag() is never executed since print_tag() is only called by cgit_print_tags() which already executes print_tag_header() before (resulting in the global variable being always set in when the condition is evaluated). Remove the global variable and the conditional invocation. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>