Git https://git.stealer.net/cgit.cgi/user/sven/git.git/atom?h=v1.7.6.3 2011-08-16T18:41:26Z 2011-08-16T18:41:26Z Junio C Hamano gitster@pobox.com 2011-08-16T18:41:26Z urn:sha1:5329c99795e187b36a527baa883efe5c3dc2f98c * jn/mime-type-with-params: gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss 2011-06-30T18:26:48Z Jakub Narebski jnareb@gmail.com 2011-06-30T09:39:21Z urn:sha1:e8c35317172aab9da7afe555da603021a3ae89e5 Enhance usability of 'blob_plain' view protection against XSS attacks (enabled by setting $prevent_xss to true) by serving contents inline as safe 'text/plain' mimetype where possible, instead of serving with "Content-Disposition: attachment" to make sure they don't run in gitweb's security domain. This patch broadens downgrading to 'text/plain' further, to any */*+xml mimetype. This includes: application/xhtml+xml (*.xhtml, *.xht) application/atom+xml (*.atom) application/rss+xml (*.rss) application/mathml+xm (*.mathml) application/docbook+xml (*.docbook) image/svg+xml (*.svg, *.svgz) Probably most useful is serving XHTML files as text/plain in 'blob_plain' view, directly viewable. Because file with 'image/svg+xml' mimetype can be compressed SVGZ file, we have to check if */*+xml really is text file, via '-T $fd'. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-30T18:26:39Z Jakub Narebski jnareb@gmail.com 2011-06-30T09:39:20Z urn:sha1:86afbd02c890eca08424174b7d6e583af38b0363 One of mechanism enabled by setting $prevent_xss to true is 'blob_plain' view protection. With XSS prevention on, blobs of all types except a few known safe ones are served with "Content-Disposition: attachment" to make sure they don't run in our security domain. Instead of serving text/* type files, except text/plain (and including text/html), as attachements, downgrade it to text/plain. This way HTML pages in 'blob_plain' (raw) view would be displayed in browser, but safely as a source, and not asked to be saved. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-21T21:56:59Z Junio C Hamano gitster@pobox.com 2011-06-21T21:56:59Z urn:sha1:2765233c64c35eb43a8b46c377fb8b464469221f * maint: gitweb: 'pickaxe' and 'grep' features requires 'search' to be enabled 2011-06-21T21:07:35Z Jakub Narebski jnareb@gmail.com 2011-06-21T06:41:16Z urn:sha1:a598ded1e2e9cc9f4ce93d091808b475839e6867 Both 'pickaxe' (searching changes) and 'grep' (searching files) require basic 'search' feature to be enabled to work. Enabling e.g. only 'pickaxe' won't work. Add a comment about this. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-09T16:22:44Z Jonathan Nieder jrnieder@gmail.com 2011-06-09T07:08:57Z urn:sha1:2c162b56f370f5c33e6a945e6922d598006c5ec4 v1.7.6-rc0~27^2~4 (gitweb: Change the way "content tags" ('ctags') are handled, 2011-04-29) tried to make gitweb's tag cloud feature more intuitive for webmasters by checking whether the ctags/<label> under a project's .git dir contains a number (representing the strength of association to <label>) before treating it as one. With that change, after putting '$feature{'ctags'}{'default'} = [1];' in your $GITWEB_CONFIG, you could do echo Linux >.git/ctags/linux and gitweb would treat that as a request to tag the current repository with the Linux tag, instead of the previous behavior of writing an error page embedded in the projects list that triggers error messages from Chromium and Firefox about malformed XML. Unfortunately the pattern (\d+) used to match numbers is too loose, and the "XML declaration allowed only at the start of the document" error can still be experienced if you write "Linux-2.6" in place of "Linux" in the example above. Fix it by tightening the pattern to ^\d+$. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-06T18:40:22Z Junio C Hamano gitster@pobox.com 2011-06-06T18:40:22Z urn:sha1:2c6b5d88287689e5a1acd5b5fefb8edd96931b6d * jn/mime-type-with-params: gitweb: Fix usability of $prevent_xss 2011-06-05T17:38:47Z Jakub Narebski jnareb@gmail.com 2011-06-04T08:43:35Z urn:sha1:bee6ea17a1bab824eba6133eefc3c70b219ec98c With XSS prevention on (enabled using $prevent_xss), blobs ('blob_plain') of all types except a few known safe ones are served with "Content-Disposition: attachment". However the check was too strict; it didn't take into account optional parameter attributes, media-type = type "/" subtype *( ";" parameter ) as described in RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 This fixes that, and it for example treats following as safe MIME media type: text/plain; charset=utf-8 Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-05-26T17:31:57Z Junio C Hamano gitster@pobox.com 2011-05-26T17:31:57Z urn:sha1:a6f3f178bd7ce48f7fe4262a1e5efb3ae6a98a4d * jn/gitweb-js: gitweb: Make JavaScript ability to adjust timezones configurable gitweb.js: Add UI for selecting common timezone to display dates gitweb: JavaScript ability to adjust time based on timezone gitweb: Unify the way long timestamp is displayed gitweb: Refactor generating of long dates into format_timestamp_html gitweb.js: Provide getElementsByClassName method (if it not exists) gitweb.js: Introduce code to handle cookies from JavaScript gitweb.js: Extract and improve datetime handling gitweb.js: Provide default values for padding in padLeftStr and padLeft gitweb.js: Update and improve comments in JavaScript files gitweb: Split JavaScript for maintability, combining on build 2011-05-26T17:31:53Z Junio C Hamano gitster@pobox.com 2011-05-26T17:31:53Z urn:sha1:229e72dd6a34a2fbe5998fbddde44cb00174a602 * jn/ctags-more: gitweb: Optional grouping of projects by category gitweb: Modularized git_get_project_description to be more generic gitweb: Split git_project_list_body in two functions