Lukas Fleischer [Tue, 20 Aug 2013 16:56:13 +0000 (18:56 +0200)]
ui-patch.c: Use log_tree_commit() to generate diffs
Instead of using our own formatting, use log_tree_commit() from Git to
create patches. This removes unnecessary duplicate code and also fixes a
bug with e-mail address formatting that existed in our own
implementation.
Lukas Fleischer [Tue, 20 Aug 2013 16:56:12 +0000 (18:56 +0200)]
ui-diff: Check the return value of get_sha1()
Sync with what we do everywhere else and check the return value of
get_sha1() instead of calling sha1_object_info() to validate the object.
Note that we later call lookup_commit_reference(), which checks that
both SHA1 values refer to commits, anyway.
Lukas Fleischer [Fri, 28 Jun 2013 08:58:14 +0000 (08:58 +0000)]
Fix section-from-path > 1
When having found the first path separator occurrence at position i, we
invoked strchr() on the same position i in subsequent iterations
resulting in the same path separator being returned by strchr() over and
over again. Increase the position by one to skip the occurrence that has
just been found and advance to the next separator.
Reported-by: Konstantin Ryabitsev <mricon@kernel.org> Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Lukas Fleischer [Tue, 4 Jun 2013 14:47:53 +0000 (14:47 +0000)]
Use strbuf for reading configuration files
Use struct strbuf from Git instead of fixed-size buffers to remove the
limit on the length of configuration file lines and refactor
read_config_line() to improve readability.
Note that this also fixes a buffer overflow that existed with the
original fixed-size buffer implementation.
We've long supported negative ttls, for infinite cache, except the
documentation incorrectly showed one of our defaults as being 5 and not
-1. As well, with a negative ttl, we were actually making the HTTP
expired header go backwards. This changes it to go ahead ten years
instead.
Further, we add an cache-about-ttl option to set a different ttl for
about pages, which are now increasingly being filtered through markdown
or just sent statically anyway.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
My dmesg is filled with the oom killer bringing down processes while the
Bingbot downloads every snapshot for every commit of the Linux kernel in
tar.xz format. Sure, I should be running with memory limits, and now I'm
using cgroups, but a more general solution is to prevent crawlers from
wasting resources like that in the first place.
Suggested-by: Natanael Copa <ncopa@alpinelinux.org> Suggested-by: Julius Plenz <plenz@cis.fu-berlin.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Features:
- update to git v1.8.3.
- expanded set of default filters to include markdown, restructuredtext, and
man pages.
- better sample configuration file in man page.
- "readme" may now be specified multiple times, and cgit will choose the first
one it finds.
- "readme" no longer needs a branch name. If prefixed with simply ":" it will
use the default branch.
- "branch-sort" allowing branches to be sorted either by "age" or "name", for
kernel.org.
- "enable-index-owner" allowing the owner column to be disabled in the index
page.
- print submodule revision next to submodule link.
- integrate more closely with git apis, such as strbuf.
- rely on git test harness and git makefiles.
- more robust test suite.
- more rebust makefile dependency accounting.
- pager navigation is now unordered list.
- span tag wraps commit directions.
Behavior changes:
- HOME is no longer passed as an environment variable to any filter api
scripts.
- "about-filter" now receives the filename being filtered as argv[1]. This may
disrupt existing scripts, so adjust accordingly.
- gitconfig and gitattributes are no longer loaded from any system directories
or home directories.
Security:
- CVE-2013-2117: disallow directory traversal when readme is set to filesystem
path.
Bug fixes:
- ssdiff now correctly manages tab expansion.
- support unannotated tags in http git clone.
- lots of cleanups of global variables and memory leaks.
- do not rely on gettext/libintl.
- better C standard compliance.
- make several functions and variables static.
- improved constification.
- remove unused functions.
- fix colspan values to correct width.
- fix out-of-bounds memory accesses with virtual_root="".
- cache repo config more precisely.
- die when write fails.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Using the url= query string, it was possible request arbitrary files
from the filesystem if the readme for a given page was set to a
filesystem file. The following request would return my /etc/passwd file:
This fix uses realpath(3) to canonicalize all paths, and then compares
the base components.
This fix introduces a subtle timing attack, whereby a client can check
whether or not strstr is called using timing measurements in order
to determine if a given file exists on the filesystem.
This fix also does not account for filesystem race conditions (TOCTOU)
in resolving symlinks.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The readme variable may now contain multiple space deliminated entries,
which per usual are either a filepath or a git ref filepath. If multiple
are specified, cgit will now select the first one in the list that
exists. This is to make it easier to specify multiple default readme
types in the main cgitrc file and have them automatically get applied to
each repo based on what exists.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
John Keeping [Sat, 18 May 2013 17:46:39 +0000 (18:46 +0100)]
cache.c: cache ls_cache output properly
By using the standard library's printf, cache_ls does not redirect its
output to the cache when we change the process' stdout file descriptor
to point to the cache file. Fix this by using "htmlf" in the same way
that we do for writing HTTP headers.
John Keeping [Sat, 18 May 2013 17:46:38 +0000 (18:46 +0100)]
tests: introduce strip_header() helper function
This means that we can avoid hardcoding the number of headers we expect
CGit to generate in test cases and simply remove whatever headers happen
to by there when we are checking body content.
John Keeping [Sat, 18 May 2013 14:57:03 +0000 (15:57 +0100)]
html.c: die when write fails
If we fail to write HTML output once, there's no point carrying on so
just write a failure message once and die. By using Git's die_errno
function we also let the user know in what way the write failed.
John Keeping [Sat, 18 May 2013 14:54:49 +0000 (15:54 +0100)]
ui-log: add <span/> around commit decorations
This helps projects that have a large number of tags to display them all
using custom CSS.
The default stylesheet has not been updated since what is useful for
projects with a lot of tags is not the same as what is useful for
projects with only a small number of decorations per commit.
Suggested-by: Konstantin Ryabitsev <mricon@kernel.org> Signed-off-by: John Keeping <john@keeping.me.uk>
John Keeping [Sat, 18 May 2013 14:17:08 +0000 (15:17 +0100)]
Makefile: fix parallel "make test"
When building the "test" target we depend on both cgit and building the
Git tools. By doing this with two targets we end up running make in the
git/ directory twice, concurrently if using parallel make, which causes
us to build more than we need and potentially builds incorrectly if
multi-step build-then-move operations overlap.
Fix this by instead calling back into the makefile so that we alter the
"cgit" target to also build the Git tools.
John Keeping [Sat, 18 May 2013 17:28:14 +0000 (18:28 +0100)]
cache.c: fix cache_ls
Commit fb3655d (use struct strbuf instead of static buffers, 2013-04-06)
broke the logic in cache.c::cache_ls by failing to set slot->cache_name
before calling open_slot.
While fixing this, also free the strbufs added by that commit once we're
done with them.
It's a bit tedious to have to do this here too. If we encounter other
issues with $HOME down the line, I'll look into adding some nice utility
functions to handle this, or perhaps giving up on the hope that we could
keep $HOME defined for scripts.
This commit additionally adds a test case, should the issue surface
again.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
John Keeping [Sat, 27 Apr 2013 09:48:56 +0000 (10:48 +0100)]
t0001: validate Git -rcN version numbers correctly
When creating the GIT-VERSION-FILE that we use to test that the version
of Git in git/ is the same as in the CGit Makefile, Git applies the
transform "s/-/./g" to the version string. This doesn't affect released
versions but does change RC version numbers such as 1.8.3-rc0.
While CGit should only refer to a released Git version in general, it is
useful to developers who want to test upcoming Git releases if the tests
do work with RCs, so change t0001 to apply the same transform to our
Makefile version before comparing it to the contents of
GIT-VERSION-FILE.
John Keeping [Tue, 16 Apr 2013 17:39:58 +0000 (18:39 +0100)]
scan-tree: fix regression in section-from-path=-1
Commit fb3655d (use struct strbuf instead of static buffers -
2013-04-06) introduced a regression in the "section-from-path" handling
when the configured value is negative. By changing the "rel" variable
so that it includes a trailing slash, counting slashes from the end of
the string no longer gives the same answer as it did before.
Fix this by ensuring that "rel" does not have a trailing slash.
Reported-by: Julius Plenz <plenz@cis.fu-berlin.de> Signed-off-by: John Keeping <john@keeping.me.uk>
John Keeping [Sun, 14 Apr 2013 18:15:43 +0000 (19:15 +0100)]
t0001: ignore ".dirty" suffix on Git version
When testing modifications in Git that affect CGit, it is annoying to
have t0001 failing simply because the Git version has a ".dirty" suffix
when the version of Git there does indeed match that specified in the
CGit makefile. Stop this by stripping the ".dirty" suffix from the
GIT_VERSION variable.
Note that this brings the "Git version" behaviour in line with the
"submodule version" case which does not check if the working tree in
git/ is modified.
John Keeping [Sun, 14 Apr 2013 16:59:30 +0000 (17:59 +0100)]
tests: set TEST_OUTPUT_DIRECTORY to the CGit test directory
By default, Git's test suite puts the trash directories and test-results
directory into its own directory, not that containing the tests being
run. This is less convenient for inspecting test failures, so set the
output directory to CGit's tests/ directory instead.
Note that there is currently a bug in Git whereby it will create the
trash directories in our tests/ directory regardless of the value of
TEST_OUTPUT_DIRECTORY, and then fail to remove them once the tests are
done. This change does currently affect the location of the
test-results/ directory though.
John Keeping [Sun, 14 Apr 2013 16:07:41 +0000 (17:07 +0100)]
t0109: test more URLs
In order to ensure that we don't access $HOME at some point after
initial startup when rendering a specific view, run the strace test on a
range of different pages.
This ensures that we don't end up reading a configuration later for some
specific view.
ui-snapshot.c: Prepend "V" when guessing ref names
In cgit_print_snapshot_links() we strip leading "v" and "V", while we
currently only prepend a lower case "v" when parsing a snapshot file
name. This results in broken snapshot links for tags that start with an
upper case "V". Avoid this by prepending a "V" as a fallback.
Note that we cannot use skip_all here since some tests have already been
executed when ZIP tests are reached. Use test prerequisites to skip
everything using unzip(1) if the binary is not available instead.
John Keeping [Wed, 10 Apr 2013 12:11:57 +0000 (13:11 +0100)]
t0109: chain operations with &&
Without '&&' between operations, we will not detect if strace or cgit
exit with an error status, which would cause a false positive test
status in this case.
cgit.c: Do not restore unset environment variables
getenv() returns a NULL pointer if the specified variable name cannot be
found in the environment. However, some setenv() implementations crash
if a NULL pointer is passed as second argument. Only restore variables
that are not NULL.
With the latest changes to prevent git from accessing configuration
files that it should not, it's important to be sure that we won't
have further breakage in the future.
Use strace to implement a test to make sure cgit does not access()
anything built from $HOME.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
John Keeping [Mon, 1 Apr 2013 14:09:05 +0000 (15:09 +0100)]
tests: use Git's test framework
This allows tests to run in parallel as well as letting us use "prove"
or another TAP harness to run the tests.
Git's test framework requires Git to be fully built before letting any
tests run, so add a new target to the top-level Makefile which builds
all of Git instead of just libgit.a and make the "test" target depend on
that.
Do not load user or system gitconfig and gitattributes
While doing any kind of git loading, unset HOME variables and set
NOSYSTEM variables so that cgit does not load any settings that a user
may have set for his own /usr/bin/git usage.
This fixes a fatal error introduced with git 1.8, whereupon git would
fatally exit when failing to access particular files.
The result of this is that only repo-local configuration files are
accessed:
Reported-by: Ferry Huberts <ferry.huberts@pelagic.nl> Tested-by: Jason A. Donenfeld <Jason@zx2c4.com> Tested-by: Ferry Huberts <ferry.huberts@pelagic.nl> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
John Keeping [Sat, 6 Apr 2013 09:28:57 +0000 (10:28 +0100)]
use struct strbuf instead of static buffers
Use "struct strbuf" from Git to remove the limit on file path length.
Notes on scan-tree:
This is slightly involved since I decided to pass the strbuf into
add_repo() and modify if whenever a new file name is required, which
should avoid any extra allocations within that function. The pattern
there is to append the filename, use it and then reset the buffer to its
original length (retaining a trailing '/').
Notes on ui-snapshot:
Since write_archive modifies the argv array passed to it we
copy the argv_array values into a new array of char* and then free the
original argv_array structure and the new array without worrying about
what the values now look like.
John Keeping [Sat, 6 Apr 2013 09:49:22 +0000 (10:49 +0100)]
Remove redundant calls to fmt("%s", ...)
After this change there is one remaining call 'fmt("%s", delim)' in
ui-shared.c but is needed as delim is stack allocated and so cannot be
returned from the function.
John Keeping [Sat, 6 Apr 2013 10:23:52 +0000 (11:23 +0100)]
Convert cgit_print_error to a variadic function
This removes many uses of "fmt" which uses a fixed size static pool of
fixed size buffers. Instead of relying on these, we now pass around
argument lists for as long as possible before using a strbuf to render
content of an arbitrary size.
John Keeping [Sun, 7 Apr 2013 13:40:50 +0000 (14:40 +0100)]
html.c: add various strbuf and varadic helpers
This adds the fmtalloc helper, html_txtf, html_vtxtf, and html_attrf.
These takes a printf style format string like htmlf but escapes the
resulting string. The html_vtxtf variant takes a va_list whereas
html_txtf is variadic.
John Keeping [Mon, 1 Apr 2013 18:03:34 +0000 (19:03 +0100)]
Fix out-of-bounds memory accesses with virtual_root=""
The CGit configuration variable virtual_root is normalized so that it
does not have a trailing '/' character, but it is allowed to be empty
(the empty string and NULL have different meanings here) and there is
code that is insufficiently cautious when checking if it ends in a '/':
if (virtual_root[strlen(virtual_root) - 1] != '/')
Clearly this check is redundant, but rather than simply removing it we
get a slight efficiency improvement by switching the normalization so
that the virtual_root variable always ends in '/'. Do this with a new
"ensure_end" helper.
The code snippets for OBJ_TAG and other object types are almost
equivalent. Merge them and use a couple of inline if conditions to
select proper fields.
print_tag_header() is only called from cgit_print_tags() -- the
conditional invocation in print_tag() is never executed since
print_tag() is only called by cgit_print_tags() which already executes
print_tag_header() before (resulting in the global variable being always
set in when the condition is evaluated).
Remove the global variable and the conditional invocation.
John Keeping [Thu, 4 Apr 2013 17:32:24 +0000 (18:32 +0100)]
cgit.mk: fix dependency handling
Git calculates the dependency files to be included using a simply
expanded Makefile variable, so it does not include the CGit objects that
are added after that Makefile has been processed.
We therefore need to include the dependency files ourselves in order to
get the dependency calculations right. Do this.
Do not unnecessarily strdup() environment variables
This reverts the memory duplication introduced in commit 60a2627, while
keeping everything else that has been cleaned up. The environment
variables are never modified, so we do not need to call xstrdupn() here.
Also, remove xstrdupn() which is no longer needed.
These reflect the values of environment variables and should never be
changed. Add another xstrdup() when we assign environment variables to
strings that are potentially non-constant.
Return const char * in cgit_{httpscheme, hosturl, rooturl}()
The return values of these functions are essentially constant and should
never be modified.
Note that this will introduce a compiler warning when we try to free the
return value of any of these functions. However, given that all of these
currently return statically allocated strings in some cases, they need
to be refactored before this can be done anyway.
John Keeping [Mon, 8 Apr 2013 08:00:22 +0000 (09:00 +0100)]
Update git to v1.8.2.1
This requires a small change to how we handle notes, but otherwise just
works.
Note that we can't use anything from v1.8.0 until v1.8.2.1 because some
of the symbols that we need for graph drawing were made private in
v1.8.0 and this was not reverted until v1.8.2.1.
John Keeping [Sun, 7 Apr 2013 14:06:23 +0000 (15:06 +0100)]
ui-blob: don't segfault when no path is given
It it possible to inspect blobs by specifying only the SHA-1, and CGit
provides links to do so, for example if a tag points directly at a blob.
In this case the path_items structure is never used, but creating it
still causes strlen to be run on a null pointer. Fix this.
This error was introduced by commit c1633c6 (Update git to v1.7.6.5 -
2013-03-02).
Lukas Fleischer [Tue, 5 Mar 2013 15:48:27 +0000 (16:48 +0100)]
ui-summary.c: Move urls variable into print_urls()
There's no need for this variable to be global. Printing the header in
print_urls() instead of print_url() allows for moving this variable into
print_urls() without having to pass any status to print_url().
Note that this only works as long as we don't call print_urls() more
than once.
This squelches a gcc warning. It's also correct that we check to see if
there are any partial or failed writes. For now, we just print a warning
to stderr. In the future, perhaps it will prove wise to exit(1) on
partial writes.
Since tail is initialized to 0, we will never get a warning on the last
if statement, but recent gcc complains anyway. So, we initialize len as
well. Future gcc versions should be able to optimize this out anyway.
John Keeping [Wed, 6 Mar 2013 21:22:09 +0000 (21:22 +0000)]
cgit.mk: Use SHELL_PATH_SQ to run gen-version.sh
On some platforms (notably Solaris) /bin/sh doesn't support enough of
POSIX for gen-version.sh to run. Git's Makefile provides SHELL_PATH_SQ
to address this issue so we just have to use it.
John Keeping [Wed, 6 Mar 2013 21:22:08 +0000 (21:22 +0000)]
cgit.mk: don't rebuild everything if CGIT_VERSION changes
If CGIT_VERSION is in CGIT_CFLAGS then a change in version (for example
because you have committed your changes) causes all of the CGit objects
to be rebuilt. Avoid this by using EXTRA_CPPFLAGS to add the version
for only those files that are affected and make them depend on VERSION.
John Keeping [Wed, 6 Mar 2013 21:22:07 +0000 (21:22 +0000)]
ui-patch: use cgit_version not CGIT_VERSION
We already have a global cgit_version which is set from the #define'd
CGIT_VERSION in cgit.c. Change ui-patch.c to use this so that we only
need to rebuild cgit.o when the version changes.
John Keeping [Wed, 6 Mar 2013 21:22:06 +0000 (21:22 +0000)]
Makefile: re-use Git's Makefile where possible
Git does quite a lot of platform-specific detection in its Makefile,
which can result in it defining preprocessor variables that are used in
its header files. If CGit does not define the same variables it can
result in different sizes of some structures in different places in the
same application.
For example, on Solaris Git uses it's "compat" regex library which has a
different sized regex_t structure than that available in the platform
regex.h. This has a knock-on effect on the size of "struct rev_info"
and leads to hard to diagnose runtime issues.
In order to avoid all of this, introduce a "cgit.mk" file that includes
Git's Makefile and make all of the existing logic apply to CGit's
objects as well. This is slightly complicated because Git's Makefile
must run in Git's directory, so all references to CGit files need to be
prefixed with "../".
In addition, OBJECTS is a simply expanded variable in Git's Makefile so
we cannot just add our objects to it. Instead we must copy the two
applicable rules into "cgit.mk". This has the advantage that we can
split CGit-specific CFLAGS from Git's CFLAGS and hence avoid rebuilding
all of Git whenever a CGit-specific value changes.
Signed-off-by: John Keeping <john@keeping.me.uk> Acked-by: Jamie Couture <jamie.couture@gmail.com>
John Keeping [Wed, 6 Mar 2013 20:51:54 +0000 (20:51 +0000)]
ui-shared: fix return type of cgit_self_link
cgit_self_link() is a void function but implements each case it handles
by doing "return <another_void_function>" which is not valid C; section
6.8.6.4 of C11 says:
A return statement with an expression shall not appear in a
function whose return type is void.
Fix this by removing the return keywords and converting the final code
block into an "else".
Lukas Fleischer [Mon, 4 Mar 2013 12:25:38 +0000 (13:25 +0100)]
cgit_print_snapshot_links(): Free prefix variable
Fixes following memory leak seen with "PATH_INFO=/cgit/commit/":
==16894== 12 bytes in 1 blocks are definitely lost in loss record 9 of 92
==16894== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16894== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==16894== by 0x46CAC8: xstrdup (wrapper.c:35)
==16894== by 0x414E34: cgit_print_snapshot_links (ui-shared.c:926)
==16894== by 0x40CFA1: cgit_print_commit (ui-commit.c:102)
==16894== by 0x407B06: commit_fn (cmd.c:54)
==16894== by 0x405E16: process_request (cgit.c:574)
==16894== by 0x4074C8: cache_process (cache.c:322)
==16894== by 0x406C4F: main (cgit.c:872)
Lukas Fleischer [Mon, 4 Mar 2013 12:25:37 +0000 (13:25 +0100)]
cgit_print_commit(): Free tmp variable
Fixes following memory leak seen with "PATH_INFO=/cgit/commit/":
==16894== 7 bytes in 1 blocks are definitely lost in loss record 4 of 92
==16894== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16894== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==16894== by 0x46CAC8: xstrdup (wrapper.c:35)
==16894== by 0x40CD6F: cgit_print_commit (ui-commit.c:70)
==16894== by 0x407B06: commit_fn (cmd.c:54)
==16894== by 0x405E16: process_request (cgit.c:574)
==16894== by 0x4074C8: cache_process (cache.c:322)
==16894== by 0x406C4F: main (cgit.c:872)
Lukas Fleischer [Mon, 4 Mar 2013 12:25:36 +0000 (13:25 +0100)]
cgit_print_tree(): Free curr_rev after usage
Fixes following memory leak seen with "PATH_INFO=/cgit/tree/":
==15715== 7 bytes in 1 blocks are definitely lost in loss record 4 of 51
==15715== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15715== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==15715== by 0x46CAA8: xstrdup (wrapper.c:35)
==15715== by 0x418A4C: cgit_print_tree (ui-tree.c:274)
==15715== by 0x407D91: tree_fn (cmd.c:131)
==15715== by 0x405E16: process_request (cgit.c:574)
==15715== by 0x4074C8: cache_process (cache.c:322)
==15715== by 0x406C4F: main (cgit.c:872)
projects / cgit / log