summary refs log tree commit diff
AgeCommit message (Collapse)Author
2016-01-14ui-plain: add enable-html-serving flagJason A. Donenfeld
Unrestricts plain/ to contents likely to be executed by browser.
2016-01-14ui-blob: set CSP just in caseJason A. Donenfeld
2016-01-14ui-blob: always use generic mimetypesJason A. Donenfeld
2016-01-14ui-blob: Do not accept mimetype from userJason A. Donenfeld
2016-01-14ui-shared: prevent malicious filename from injecting headersJason A. Donenfeld
2016-01-14ui-shared: Avoid new line injection into redirect headerJason A. Donenfeld
2016-01-14Fix missing prototype declarationsPeter Colberg
Signed-off-by: Peter Colberg <peter@colberg.org>
2016-01-13ui-repolist: return HTTP 404 if no repositories foundPeter Colberg
Return HTTP status code 404 Not found when querying a non-existent repository, which signals to search engines that a repository no longer exists. Further, some webservers such as nginx permit logging requests to different files depending on the HTTP code. Signed-off-by: Peter Colberg <peter@colberg.org>
2016-01-13ui-repolist: extract repo visibility criteria to separate functionPeter Colberg
Signed-off-by: Peter Colberg <peter@colberg.org>
2016-01-13Fix segmentation fault in hc()Lukas Fleischer
The ctx.qry.page variable might be unset at this point, e.g. when an invalid command is passed and cgit_print_pageheader() is called to show an error message. Signed-off-by: Lukas Fleischer <lfleischer@lfos.de>
2016-01-13git: update to v2.7.0Christian Hesse
Update to git version v2.7.0. * Upstream commit ed1c9977cb1b63e4270ad8bdf967a2d02580aa08 (Remove get_object_hash.) changed API: Convert all instances of get_object_hash to use an appropriate reference to the hash member of the oid member of struct object. This provides no functional change, as it is essentially a macro substitution. Signed-off-by: Christian Hesse <mail@eworm.de>
2016-01-13ui-repolist: initialize char *buf to NULLChristian Hesse
readfile() can fail if the agefile is not readable. Make sure free() does not free an ininitialized string. Signed-off-by: Christian Hesse <mail@eworm.de>
2015-11-24filter: avoid integer overflow in authenticate_postJason A. Donenfeld
ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-11-12about-formatting.sh: comment text out of dateJason A. Donenfeld
2015-10-12filters: port syntax-highlighting.py to python 3.xChristian Hesse
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-12md2html: the default of stdin works fineJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12filters: misc cleanupsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12md2html: use pure pythonJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-10cache: fix resource leak: close file handle before returnChristian Hesse
Coverity-id: 13910 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-atom: fix resource leak: free allocation from cgit_pageurlChristian Hesse
Coverity-id: 13945 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-atom: fix resource leak: free before returnChristian Hesse
Coverity-id: 13946 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-atom: fix resource leak: free allocation from cgit_repourlChristian Hesse
Coverity-id: 13947 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-blob: fix resource leak: free before returnChristian Hesse
Coverity-id: 13944 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-blob: fix resource leak: free before returnChristian Hesse
Coverity-id: 13943 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-plain: fix resource leak: free before assigning NULLChristian Hesse
Coverity-id: 13939 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-plain: fix resource leak: free before returnChristian Hesse
Coverity-id: 13940 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-repolist: fix resource leak: free allocation from cgit_currenturlChristian Hesse
Coverity-id: 13930 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-repolist: fix resource leak: free before returnChristian Hesse
Coverity-id: 13931 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09filters: Simplify convertersJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-09ui-shared: fix resource leak: free allocation from cgit_hosturlChristian Hesse
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: return value of cgit_hosturl is not constChristian Hesse
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09cmd: fix resource leak: free allocation from cgit_currenturl and fmtallocChristian Hesse
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: fix resource leak: free allocation from cgit_currenturlChristian Hesse
Coverity-id: 13927 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: return value of cgit_currenturl is not constChristian Hesse
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: fix resource leak: free allocation from cgit_fileurlChristian Hesse
Coverity-id: 13918 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-ssdiff: fix resource leak: free allocation from cgit_fileurlChristian Hesse
Coverity-id: 13929 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-tree: fix resource leak: free before returnChristian Hesse
Coverity-id: 13938 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09Avoid use of non-reentrant functionsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-09Makefile: fix MAKEFLAGS tests with multiple flagsJohn Keeping
findstring is defined as $(findstring FIND,IN) so if multiple flags are set these tests do the wrong thing unless $(MAKEFLAGS) is the second argument. Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09ui-refs: remove useless null checkJohn Keeping
There is no way that "tag" can be null here. Coverity-id: 13950 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09ui-blob: remove useless null checkJohn Keeping
We have already called strlen() on "path" by the time we get here, so we know it can't be null. Coverity-id: 13954 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09scan-tree: remove useless strdup()John Keeping
parse_configfile() takes a "const char *" and doesn't hold any references to it after it returns; there is no reason to pass it a duplicate. Coverity-id: 13941 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09cgit.c: remove useless null checkJohn Keeping
Everywhere else in this function we do not check whether the value is null and parse_configfile() never passes a null value to this callback. Coverity-id: 13846 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-06git: update to v2.6.1Christian Hesse
Update to git version v2.6.1, no changes required. Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-17mime: rewrite detection functionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-08-17ui-summary: send images plain for about pageChristian Hesse
The about page used to display just fine, but images were broken: The binary image data was embedded in html code. Use cgit_print_plain() to send images in plain mode and make them available on about page. Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-17refactor get_mimetype_from_file() to get_mimetype_for_filename()Christian Hesse
* handle mimetype within a single function * return allocated memory on success Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-17move get_mimetype_from_file() to sharedChristian Hesse
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-14cmd: fix command definitionJohn Keeping
The previous commit removed the "pre" field from "struct cgit_cmd" but forgot to update this macro. Signed-off-by: John Keeping <john@keeping.me.uk> Reviewed-by: Christian Hesse <mail@eworm.de>
2015-08-14cmd: no need for pre function hook nowJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>