Lukas Fleischer [Mon, 4 Mar 2013 12:25:37 +0000 (13:25 +0100)]
cgit_print_commit(): Free tmp variable
Fixes following memory leak seen with "PATH_INFO=/cgit/commit/":
==16894== 7 bytes in 1 blocks are definitely lost in loss record 4 of 92
==16894== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16894== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==16894== by 0x46CAC8: xstrdup (wrapper.c:35)
==16894== by 0x40CD6F: cgit_print_commit (ui-commit.c:70)
==16894== by 0x407B06: commit_fn (cmd.c:54)
==16894== by 0x405E16: process_request (cgit.c:574)
==16894== by 0x4074C8: cache_process (cache.c:322)
==16894== by 0x406C4F: main (cgit.c:872)
Lukas Fleischer [Mon, 4 Mar 2013 12:25:36 +0000 (13:25 +0100)]
cgit_print_tree(): Free curr_rev after usage
Fixes following memory leak seen with "PATH_INFO=/cgit/tree/":
==15715== 7 bytes in 1 blocks are definitely lost in loss record 4 of 51
==15715== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15715== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==15715== by 0x46CAA8: xstrdup (wrapper.c:35)
==15715== by 0x418A4C: cgit_print_tree (ui-tree.c:274)
==15715== by 0x407D91: tree_fn (cmd.c:131)
==15715== by 0x405E16: process_request (cgit.c:574)
==15715== by 0x4074C8: cache_process (cache.c:322)
==15715== by 0x406C4F: main (cgit.c:872)
Lukas Fleischer [Mon, 4 Mar 2013 12:25:35 +0000 (13:25 +0100)]
find_default_branch(): Free refmatch after usage
Fixes following memory leak seen with "PATH_INFO=/cgit/refs/":
==13408== 7 bytes in 1 blocks are definitely lost in loss record 4 of 52
==13408== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13408== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==13408== by 0x46CA78: xstrdup (wrapper.c:35)
==13408== by 0x405840: find_current_ref (cgit.c:426)
==13408== by 0x44BE5A: do_one_ref (refs.c:527)
==13408== by 0x44D3E0: do_for_each_ref_in_dir (refs.c:553)
==13408== by 0x44D85A: do_for_each_ref (refs.c:1298)
==13408== by 0x405889: find_default_branch (cgit.c:438)
==13408== by 0x405AC4: prepare_repo_cmd (cgit.c:490)
==13408== by 0x405D97: process_request (cgit.c:557)
==13408== by 0x407490: cache_process (cache.c:322)
==13408== by 0x406C18: main (cgit.c:864)
Lukas Fleischer [Mon, 4 Mar 2013 12:25:34 +0000 (13:25 +0100)]
print_tag_downloads(): Free ref variable
Make sure the ref variable is freed if we build a
"$basename-$version"-style ref.
This fixes following memory leak seen with "PATH_INFO=/cgit/refs/":
==8784== 323 bytes in 29 blocks are definitely lost in loss record 41 of 53
==8784== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8784== by 0x56F2DF1: strdup (in /usr/lib/libc-2.17.so)
==8784== by 0x46CA28: xstrdup (wrapper.c:35)
==8784== by 0x410DA6: print_tag_downloads (ui-refs.c:115)
==8784== by 0x410F02: print_tag (ui-refs.c:141)
==8784== by 0x41128B: cgit_print_tags (ui-refs.c:230)
==8784== by 0x41134D: cgit_print_refs (ui-refs.c:250)
==8784== by 0x407C85: refs_fn (cmd.c:105)
==8784== by 0x405DDF: process_request (cgit.c:566)
==8784== by 0x407490: cache_process (cache.c:322)
==8784== by 0x406C18: main (cgit.c:864)
Lukas Fleischer [Mon, 4 Mar 2013 12:25:33 +0000 (13:25 +0100)]
Free reflists after usage
Free reflists in cgit_print_branches() and in cgit_print_tags() before
returning reflist structures to the stack.
This fixes following memory leaks seen with "PATH_INFO=/cgit/refs/":
==5710== 1,312 (32 direct, 1,280 indirect) bytes in 1 blocks are definitely lost in loss record 63 of 71
==5710== at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5710== by 0x4C2C2FF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5710== by 0x46CA9B: xrealloc (wrapper.c:100)
==5710== by 0x40AAA6: cgit_add_ref (shared.c:156)
==5710== by 0x40ABC4: cgit_refs_cb (shared.c:186)
==5710== by 0x44BCBA: do_one_ref (refs.c:527)
==5710== by 0x44D240: do_for_each_ref_in_dir (refs.c:553)
==5710== by 0x44D6BA: do_for_each_ref (refs.c:1298)
==5710== by 0x410FE2: cgit_print_branches (ui-refs.c:191)
==5710== by 0x4111E9: cgit_print_refs (ui-refs.c:244)
==5710== by 0x407C85: refs_fn (cmd.c:105)
==5710== by 0x405DDF: process_request (cgit.c:566)
==5710==
==5710== 6,846 (256 direct, 6,590 indirect) bytes in 1 blocks are definitely lost in loss record 68 of 71
==5710== at 0x4C2C25E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5710== by 0x46CA9B: xrealloc (wrapper.c:100)
==5710== by 0x40AAA6: cgit_add_ref (shared.c:156)
==5710== by 0x40ABC4: cgit_refs_cb (shared.c:186)
==5710== by 0x44BCBA: do_one_ref (refs.c:527)
==5710== by 0x44D240: do_for_each_ref_in_dir (refs.c:553)
==5710== by 0x44D6EC: do_for_each_ref (refs.c:1288)
==5710== by 0x4110D5: cgit_print_tags (ui-refs.c:218)
==5710== by 0x4111FD: cgit_print_refs (ui-refs.c:246)
==5710== by 0x407C85: refs_fn (cmd.c:105)
==5710== by 0x405DDF: process_request (cgit.c:566)
==5710== by 0x407490: cache_process (cache.c:322)
John Keeping [Mon, 4 Mar 2013 21:58:49 +0000 (21:58 +0000)]
tests: "grep -e" is not portable to all platforms
The "-e" option to grep is not needed unless specifying more than one
pattern, which we don't do. Remove it to avoid restricting the tests on
platforms that do not have a grep that recognises "-e".
Jamie Couture [Sat, 17 Nov 2012 18:02:17 +0000 (13:02 -0500)]
Makefile: improve dependency generation
Makefile target generation would always be included for any makefile
target that was not clean. Only care to include the '.deps' directory
when building cgit, rather than generating and including dependencies
when calling other makefile targets.
Heavily borrowed from git's Makefile, but without definitions to test
for the compiler's header dependency feature. Previous Makefile
implementation never checked for this compiler feature anyway.
- Removed makecmdgoal 'clean' check
- Grouped like .PHONY target definitions
- Place build dependency targets under .SUFFIXES
- Re-arranged location of library inclusion definitions
- Use google code mirror instead of github
Signed-off-by: Jamie Couture <jamie.couture@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Lukas Fleischer [Sun, 3 Mar 2013 15:49:47 +0000 (16:49 +0100)]
ui-tree.c: Declare the state variable globally
This allows for removing the header variable in a following patch. We
can use the state variable to check whether the tail needs to be printed
instead.
Note that the state variable will be moved into a context structure
later.
Lukas Fleischer [Sun, 3 Mar 2013 16:27:54 +0000 (17:27 +0100)]
ui-plain.c: Use a context structure in walk_tree()
Do not misuse global variables to save the context. Instead, use the
context pointer which was designed to share information between a
read_tree_fn and the caller.
Lukas Fleischer [Sun, 3 Mar 2013 16:27:46 +0000 (17:27 +0100)]
ui-blob.c: Use a context structure in walk_tree()
Do not misuse global variables to save the context. Instead, use the
context pointer which was designed to share information between a
read_tree_fn and the caller.
This also prevents from potential misuse of the global pointers
match_path and matched_sha1 after the referenced values have been
overwritten on the stack.
parse_archive_args does not pass PARSE_OPT_KEEP_ARGV0 to parse_args,
which means the first argument will be discarded, as though it were a
function being called from the command-line. Thus, we fill argv[0] with
a dummy argument to prevent this from happening.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Lukas Fleischer [Sun, 3 Mar 2013 15:04:29 +0000 (16:04 +0100)]
Fix several whitespace errors
* Remove whitespace at the end of lines.
* Replace space indentation by tabs.
* Add whitespace before/after several operators ("+", "-", "*", ...)
* Add whitespace to assignments ("foo = bar;").
* Fix whitespace in parameter lists ("foobar(foo, bar, 42)").
Matthew McClintock reported that older unannotated tags were not
correctly being cloned and did not appear in info/refs. Further
investigation revealed some dubious prefix comparison code for
determining whether or not to write refs in info/refs. After comparing
it with git's own http-backend.c, it appears upstream does not use this
prefix logic.
OTOH, I don't know what the reasoning was when the prefix logic was
introduced. It appears to me to just be buggy, though it's possible
there are other reasons, and we'll have to revisit this commit.
But for now, Works For Me.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Matthew McClintock <msm@freescale.com> Reported-by: Matthew McClintock <msm@freescale.com>
Florian Pritz [Fri, 1 Feb 2013 09:59:13 +0000 (10:59 +0100)]
Make "owner" column on index page configurable
This is not really needed for personal sites where all repos belong to
the same person. Since it is pretty useful for shared sites however, it
should be configurable.
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Enhancements:
- path-selected submodule links
- intelligent default branch guessing
- /etc/mime.types lookup
- gitweb.* and cgit.* git-config support
- case insensitive sorting and age sorting
- commit, repository, and section sorting
- bold currently viewed page in pagination
- support BSDs in makefile
Bug Fixes:
- transition maintainer to Jason Donenfeld (zx2c4)
- download git snapshot from github instead of Lars' old server
- css fixes
- stablization of tests
- more compatible default highlight script
- suppress gzip timestamp so that tarballs only use tar timestamps
- treat ctags as target in makefile
- do not let global variables override certain local repo settings
- print ampersand as proper html entity
- use placeholder for empty commit subject
- format diff view for addition and removal of files
- point links at correct blob from ssdiff
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Julius Plenz [Tue, 30 Oct 2012 12:56:01 +0000 (13:56 +0100)]
ssdiff: point line links at exact blob by prepending "id="
Previously, the id_str (i.e. the current or diffed-against commit's
SHA1 ID) was simply concatenated to the URL. Now, prepend an "id="
string so that the links actually point to the right blobs and thus
the exact lines.
Signed-off-by: Julius Plenz <plenz@cis.fu-berlin.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Michael Halstead [Wed, 14 Nov 2012 20:41:01 +0000 (12:41 -0800)]
Format git diff headers correctly when adding or removing files.
Copying the output of cgit and using it in patches now works when adding
files to or removing files from the repository. This is helpful for people
who use cgit in their patch workflow.
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.
Tobias Bieniek [Tue, 9 Oct 2012 18:53:29 +0000 (20:53 +0200)]
ui-repolist: Add "section-sort" flag to control section sorting.
Flag which, when set to "1", will sort the sections on the repository
listing by name. Set this flag to "0" if the order in the cgitrc file
should be preserved. Default value: "1".
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
scan-tree: Unify gitweb.* and cgit.* settings into one config option.
After some back and forth with Jamie and René, it looks like the git
config semantics are going to be like this:
- gitweb.category maps to the cgit repo config key "section"
- gitweb.description maps to the cgit repo config key "desc"
- gitweb.owner maps to the cgit repo config key "owner"
- cgit.* maps to all cgit repo config keys
This option can be enabled with "enable-git-config=1", and replaces
all previous "enable-gitweb-*" config keys.
The order of operations is as follows:
- git config settings are applied in the order that they exist in
the git config file
- if the owner is not set from git config, get the owner using the
usual getpwuid call
- if the description is not set from git config, look inside the
static $path/description file
- if section-from-path=1, override whatever previous settings were
inside of git config using the section-from-path logic
- parse $path/cgitrc for local repo.* settings, that override all
previous settings
repo_config: do not let globals override repo settings
This makes it possible to activate the enable_commit_graph,
enable_log_filecount, and enable_log_linecount for individual
repositories, even if the global setting is "0" (default).
The commit that introduced the broken behavior was e189344, and the
commit message of that makes it clear that this wasn't the intended
behavior.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Ferry Huberts [Tue, 9 Oct 2012 11:10:48 +0000 (13:10 +0200)]
syntax-highlight: when the file has no extension, assume text
There are 2 situations:
1- empty extension: assuming text is better than highlight
producing no output because of a missing argument.
2- no extension at all: assuming text is better than setting
the extension to the filename, which is what now happens.
Jim Meyering [Mon, 23 Apr 2012 20:06:35 +0000 (22:06 +0200)]
do not write outside heap buffer
* parsing.c (substr): Handle tail < head.
This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.
The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:
(this is due to buf=malloc(0); strncpy (buf, head, -1);
where "head" may point to plenty of attacker-specified non-NUL bytes,
so we can overwrite a zero-length heap buffer with arbitrary data)
Invalid write of size 1
at 0x4A09361: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
at 0x4A0884D: malloc (vg_replace_malloc.c:263)
by 0x455C85: xmalloc (wrapper.c:35)
by 0x40894C: substr (parsing.c:60)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
Invalid write of size 1
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd
Invalid write of size 1
at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x502F000
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
This happens when tail - head == -1 here:
(parsing.c)
char *parse_user(char *t, char **name, char **email, unsigned long *date)
{
char *p = t;
int mode = 1;
while (p && *p) {
if (mode == 1 && *p == '<') {
*name = substr(t, p - 1);
t = p;
mode++;
} else if (mode == 1 && *p == '\n') {
The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.
And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID. To construct the offending commit, I had to resort to
using "git hash-object".
git init -q foo &&
( cd foo &&
echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
h=$(git cat-file commit HEAD|sed 's/au //' \
|git hash-object -t commit -w --stdin) &&
git co -q -b test $h &&
git br -q -D master &&
git br -q -m test master)
git clone -q --bare foo foo.git
AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault. Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
ui-snapshot: pass -n to gzip, to suppress timestamp
Since cgit snapshots of tags are often used for releases, we don't
want the rarely used feature of the gzip compressor that includes
an embedded timestamp into the archive, since this makes each tarball
of the same (potentially signed) tag different.
This commit refactors the archive handling code a bit so that each
different format is able to run with an arbitrary argv for the filter.
ui-repolist: Case insensitive sorting and age sort
Add two options, one for doing the ordinary name sorts in a
case-insensitive manner, and another for choosing to sort repos in each
section by age instead of by name.
Jamie Couture [Thu, 12 Jan 2012 03:38:49 +0000 (22:38 -0500)]
use correct type for sizeof
**L would have worked well too. Depending on the distribution sizeof *L
may return 8 instead of 4. **L is preferable, but since we don't expect
this datatype to change very often, sizeof int is less subtle and easier
to understand.
John Keeping [Thu, 24 Nov 2011 11:54:47 +0000 (11:54 +0000)]
Fix segmentation fault in empty repository
When a repository is empty, the ATOM feed link is written in the header,
but this involves formatting ctx->qry.head which is NULL in this case.
With glibc, vsnprintf formats "%s" with a NULL input as "(null)" but on
Solaris this results in a segmentation fault. Since we don't have a
meaningful head for the atom feed in an empty repository, it's simplest
not to write out the link element at all.
Tim Chen [Tue, 3 Jan 2012 16:09:59 +0000 (16:09 +0000)]
ui-ssdiff.c: set correct diffmode in "control panel"
When side-by-side-diffs=1 was set in cgitrc, specifying 'ss=0' in the
querystring would not set the 'unified' option as active in the dropdown
box used to select diffmode.
Tim Chen [Tue, 3 Jan 2012 16:02:14 +0000 (16:02 +0000)]
Fix diff mode switching when side-by-side-diffs=1
When side-by-side-diffs=1 was set in cgitrc, specyfing 'ss=0' in the query-
string would not switch to unified diffs. This patch fixes the issue by
introducing a separate variable to track the occurrence of "ss" in the
querystring.
When the repolist is paged, the page-links are missing the sort parameter,
causing the initial page to be custom sorted, but any clicked page will
then be with the default sort order again.
Some setenv() implementations (e.g. the one in OpenBSD's stdlib)
segfault if we pass a NULL value. Only set environment variables if the
corresponding settings are defined to avoid this.
Note that this is a minor behaviour change as environment variables were
supposed to be set to an empty string if a setting was undefined. Given
that this feature isn't part of any official release yet, there's no
need to worry about backwards compatibility, really. Change the
documentation accordingly.
The file name displayed in the rename hint should be escaped to avoid
XSS. Note that this vulnerability is only applicable when an attacker
has gained push access to the repository.
Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
projects / cgit / log