git/gitweb, branch v1.7.0.9

Git 1.7.0.9

2010-12-15T19:38:19Z

Signed-off-by: Junio C Hamano

Git 1.6.6.3

2010-12-15T19:32:57Z

Signed-off-by: Junio C Hamano

Git 1.6.5.9

2010-12-15T19:27:41Z

Signed-off-by: Junio C Hamano

gitweb: Introduce esc_attr to escape attributes of HTML elements

2010-12-15T19:16:31Z

It is needed only to escape attributes of handcrafted HTML elements, and not those generated using CGI.pm subroutines / methods for HTML generation. While at it, add esc_url and esc_html where needed, and prefer to use CGI.pm HTML generating methods than handcrafted HTML code. Most of those are probably unnecessary (could be exploited only by person with write access to gitweb config, or at least access to the repository). This fixes CVE-2010-3906 Reported-by: Emanuele Gentili Helped-by: John 'Warthog9' Hawley Helped-by: Jonathan Nieder Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano

gitweb: git_get_project_config requires only $git_dir, not also $project

2010-03-31T17:57:04Z

Fix overeager early return in git_get_project_config, introduced in 9be3614 (gitweb: Fix project-specific feature override behavior, 2010-03-01). When git_get_project_config is called from projects list page via git_get_project_owner($path) etc., it is called with $git_dir defined (in git_get_project_owner($path) etc.), but $project variable is not defined. git_get_project_config doesn't use $project variable anyway. Reported-by: Tobias Heinlein Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano

Merge branch 'jn/gitweb-config-error-die' into maint

2010-03-05T06:27:12Z

* jn/gitweb-config-error-die: gitweb: Die if there are parsing errors in config file

gitweb: Fix project-specific feature override behavior

2010-03-02T20:14:44Z

This commit fixes a bug in processing project-specific override in a situation when there is no project, e.g. for the projects list page. When 'snapshot' feature had project specific config override enabled by putting $feature{'snapshot'}{'override'} = 1; (or equivalent) in $GITWEB_CONFIG, and when viewing toplevel gitweb page, which means the projects list page (to be more exact this happens for any project-less action), gitweb would put the following Perl warnings in error log: gitweb.cgi: Use of uninitialized value $git_dir in concatenation (.) or string at gitweb.cgi line 2065. fatal: error processing config file(s) gitweb.cgi: Use of uninitialized value $git_dir in concatenation (.) or string at gitweb.cgi line 2221. gitweb.cgi: Use of uninitialized value $git_dir in concatenation (.) or string at gitweb.cgi line 2218. The problem is in the following fragment of code: # path to the current git repository our $git_dir; $git_dir = "$projectroot/$project" if $project; # list of supported snapshot formats our @snapshot_fmts = gitweb_get_feature('snapshot'); @snapshot_fmts = filter_snapshot_fmts(@snapshot_fmts); For the toplevel gitweb page, which is the list of projects, $project is not defined, therefore neither is $git_dir. gitweb_get_feature() subroutine calls git_get_project_config() if project specific override is turned on... but we don't have project here. Those errors mentioned above occur in the following fragment of code in git_get_project_config(): # get config if (!defined $config_file || $config_file ne "$git_dir/config") { %config = git_parse_project_config('gitweb'); $config_file = "$git_dir/config"; } git_parse_project_config() calls git_cmd() which has '--git-dir='.$git_dir There are (at least) three possible solutions: 1. Harden gitweb_get_feature() so that it doesn't call git_get_project_config() if $project (and therefore $git_dir) is not defined; there is no project for project specific config. 2. Harden git_get_project_config() like you did in your fix, returning early if $git_dir is not defined. 3. Harden git_cmd() so that it doesn't add "--git-dir=$git_dir" if $git_dir is not defined, and change git_get_project_config() so that it doesn't even try to access $git_dir if it is not defined. This commit implements both 1.) and 2.), i.e. gitweb_get_feature() doesn't call project-specific override if $git_dir is not defined (if there is no project), and git_get_project_config() returns early if $git_dir is not defined. Add a test for this bug to t/t9500-gitweb-standalone-no-errors.sh test. Reported-by: Eli Barzilay Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano

gitweb multiple project roots documentation

2010-03-02T20:14:20Z

This commit adds in the gitweb/README file a description of how to use gitweb with several project roots using apache virtualhost rewrite rules. Signed-off-by: Sylvain Rabot Acked-by: Jakub Narebski Signed-off-by: Junio C Hamano

gitweb: Die if there are parsing errors in config file

2010-02-15T02:50:22Z

Otherwise the errors can propagate, and show in damnest places, and you would spend your time chasing ghosts instead of debugging real problem (yes, it is from personal experience). This follows (parts of) advice in `perldoc -f do` documentation. This required restructoring code a bit, so we die only if we are reading (executing) config file. As a side effect $GITWEB_CONFIG_SYSTEM is always available, even when we use $GITWEB_CONFIG. Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano

gitweb: Simplify (and fix) chop_str

2010-02-04T01:14:00Z

The chop_str subroutine is meant to be used on strings (such as commit description / title) *before* HTML escaping, which means before applying esc_html or equivalent. Therefore get rid of the failed attempt to always remove full HTML entities (like e.g. & or ). It is not necessary (HTML entities gets added later), and it can cause chop_str to chop a string incorrectly. Specifically: API & protocol: support option to force written data immediately to disk from http://git.kernel.org/?p=daemon/distsrv/chunkd.git;a=commit;h=3b02f749df2cb1288f345a689d85e7061f507e54 The short version of the title gets chopped to API ... where it should be API & protocol: support option to force written data... Noticed-by: John 'Warthog9' Hawley Signed-off-by: John 'Warthog9' Hawley Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano