ui-summary: Disallow directory traversal - cgit - Web front-end for git that you're looking at right now. Might have had a few additions from upstream.

diff options

author	Jason A. Donenfeld	2013-05-25 19:47:15 +0200
committer	Jason A. Donenfeld	2013-05-25 20:33:28 +0200
commit	fe36f84d843cd755c6dab629a0758264de5bcc00 (patch)
tree	fee8af2ed0f3df2fa9015453ce3e8d721df6a0cd /cache.h
parent	2a1ead3efb940b7359bcc706c19bd8ddb0de7a11 (diff)
download	cgit-fe36f84d843cd755c6dab629a0758264de5bcc00.tar cgit-fe36f84d843cd755c6dab629a0758264de5bcc00.tar.gz cgit-fe36f84d843cd755c6dab629a0758264de5bcc00.zip

ui-summary: Disallow directory traversal

Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Diffstat (limited to 'cache.h')

0 files changed, 0 insertions, 0 deletions

#ifndef UI_SHARED_H #define UI_SHARED_H extern const char *cgit_httpscheme(void); extern char *cgit_hosturl(void); extern const char *cgit_rooturl(void); extern char *cgit_currenturl(void); extern const char *cgit_loginurl(void); extern char *cgit_repourl(const char *reponame); extern char *cgit_fileurl(const char *reponame, const char *pagename, const char *filename, const char *query); extern char *cgit_pageurl(const char *reponame, const char *pagename, const char *query); extern void cgit_add_clone_urls(void (*fn)(const char *)); extern void cgit_index_link(const char *name, const char *title, const char *class, const char *pattern, const char *sort, int ofs, int always_root); extern void cgit_summary_link(const char *name, const char *title, const char *class, const char *head); extern void cgit_tag_link(const char *name, const char *title, const char *class, const char *tag); extern void cgit_tree_link(const char *name, const char *title, const char *class, const char *head, const char *rev, const char *path); extern void cgit_plain_link(const char *name, const char *title, const char *class, const char *head, const char *rev, const char *path); extern void cgit_log_link(const char *name, const char *title, const char *class, const char *head, const char *rev, const char *path, int ofs, const char *grep, const char *pattern, int showmsg, int follow); extern void cgit_commit_link(char *name, const char *title, const char *class, const char *head, const char *rev, const char *path); extern void cgit_patch_link(const char *name, const char *title, const char *class, const char *head, const char *rev, const char *path); extern void cgit_refs_link(const char *name, const char *title, const char *class, const char *head, const char *rev, const char *path); extern void cgit_snapshot_link(const char *name, const char *title, const char *class, const char *head, const char *rev, const char *archivename); extern void cgit_diff_link(const char *name, const char *title, const char *class, const char *head, const char *new_rev, const char *old_rev, const char *path); extern void cgit_stats_link(const char *name, const char *title, const char *class, const char *head, const char *path); extern void cgit_object_link(struct object *obj); extern void cgit_submodule_link(const char *class, char *path, const char *rev); extern void cgit_print_layout_start(void); extern void cgit_print_layout_end(void); __attribute__((format (printf,1,2))) extern void cgit_print_error(const char *fmt, ...); __attribute__((format (printf,1,0))) extern void cgit_vprint_error(const char *fmt, va_list ap); extern const struct date_mode *cgit_date_mode(enum date_mode_type type); extern void cgit_print_age(time_t t, int tz, time_t max_relative); extern void cgit_print_http_headers(void); extern void cgit_redirect(const char *url, bool permanent); extern void cgit_print_docstart(void); extern void cgit_print_docend(void); __attribute__((format (printf,3,4))) extern void cgit_print_error_page(int code, const char *msg, const char *fmt, ...); extern void cgit_print_pageheader(void); extern void cgit_print_filemode(unsigned short mode); extern void cgit_print_snapshot_links(const char *repo, const char *head, const char *hex, int snapshots); extern void cgit_add_hidden_formfields(int incl_head, int incl_search, const char *page); #endif /* UI_SHARED_H */


context:
space:
mode: