Git https://git.stealer.net/cgit.cgi/user/sven/git.git/atom?h=v1.7.6.3 2011-08-16T18:41:26Z 2011-08-16T18:41:26Z Junio C Hamano gitster@pobox.com 2011-08-16T18:41:26Z urn:sha1:5329c99795e187b36a527baa883efe5c3dc2f98c * jn/mime-type-with-params: gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss 2011-06-30T18:26:48Z Jakub Narebski jnareb@gmail.com 2011-06-30T09:39:21Z urn:sha1:e8c35317172aab9da7afe555da603021a3ae89e5 Enhance usability of 'blob_plain' view protection against XSS attacks (enabled by setting $prevent_xss to true) by serving contents inline as safe 'text/plain' mimetype where possible, instead of serving with "Content-Disposition: attachment" to make sure they don't run in gitweb's security domain. This patch broadens downgrading to 'text/plain' further, to any */*+xml mimetype. This includes: application/xhtml+xml (*.xhtml, *.xht) application/atom+xml (*.atom) application/rss+xml (*.rss) application/mathml+xm (*.mathml) application/docbook+xml (*.docbook) image/svg+xml (*.svg, *.svgz) Probably most useful is serving XHTML files as text/plain in 'blob_plain' view, directly viewable. Because file with 'image/svg+xml' mimetype can be compressed SVGZ file, we have to check if */*+xml really is text file, via '-T $fd'. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-30T18:26:39Z Jakub Narebski jnareb@gmail.com 2011-06-30T09:39:20Z urn:sha1:86afbd02c890eca08424174b7d6e583af38b0363 One of mechanism enabled by setting $prevent_xss to true is 'blob_plain' view protection. With XSS prevention on, blobs of all types except a few known safe ones are served with "Content-Disposition: attachment" to make sure they don't run in our security domain. Instead of serving text/* type files, except text/plain (and including text/html), as attachements, downgrade it to text/plain. This way HTML pages in 'blob_plain' (raw) view would be displayed in browser, but safely as a source, and not asked to be saved. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-21T21:56:59Z Junio C Hamano gitster@pobox.com 2011-06-21T21:56:59Z urn:sha1:2765233c64c35eb43a8b46c377fb8b464469221f * maint: gitweb: 'pickaxe' and 'grep' features requires 'search' to be enabled 2011-06-21T21:07:35Z Jakub Narebski jnareb@gmail.com 2011-06-21T06:41:16Z urn:sha1:a598ded1e2e9cc9f4ce93d091808b475839e6867 Both 'pickaxe' (searching changes) and 'grep' (searching files) require basic 'search' feature to be enabled to work. Enabling e.g. only 'pickaxe' won't work. Add a comment about this. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-09T16:22:44Z Jonathan Nieder jrnieder@gmail.com 2011-06-09T07:08:57Z urn:sha1:2c162b56f370f5c33e6a945e6922d598006c5ec4 v1.7.6-rc0~27^2~4 (gitweb: Change the way "content tags" ('ctags') are handled, 2011-04-29) tried to make gitweb's tag cloud feature more intuitive for webmasters by checking whether the ctags/<label> under a project's .git dir contains a number (representing the strength of association to <label>) before treating it as one. With that change, after putting '$feature{'ctags'}{'default'} = [1];' in your $GITWEB_CONFIG, you could do echo Linux >.git/ctags/linux and gitweb would treat that as a request to tag the current repository with the Linux tag, instead of the previous behavior of writing an error page embedded in the projects list that triggers error messages from Chromium and Firefox about malformed XML. Unfortunately the pattern (\d+) used to match numbers is too loose, and the "XML declaration allowed only at the start of the document" error can still be experienced if you write "Linux-2.6" in place of "Linux" in the example above. Fix it by tightening the pattern to ^\d+$. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-06T18:40:22Z Junio C Hamano gitster@pobox.com 2011-06-06T18:40:22Z urn:sha1:2c6b5d88287689e5a1acd5b5fefb8edd96931b6d * jn/mime-type-with-params: gitweb: Fix usability of $prevent_xss 2011-06-05T17:38:47Z Jakub Narebski jnareb@gmail.com 2011-06-04T08:43:35Z urn:sha1:bee6ea17a1bab824eba6133eefc3c70b219ec98c With XSS prevention on (enabled using $prevent_xss), blobs ('blob_plain') of all types except a few known safe ones are served with "Content-Disposition: attachment". However the check was too strict; it didn't take into account optional parameter attributes, media-type = type "/" subtype *( ";" parameter ) as described in RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 This fixes that, and it for example treats following as safe MIME media type: text/plain; charset=utf-8 Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-03T17:00:24Z Jakub Narebski jnareb@gmail.com 2011-06-03T16:31:48Z urn:sha1:80b4dfeeb2512d5b6d44b7f6eb72b77222072ec2 This way you can examine prerequisites at first glance, before detailed instructions on installing gitweb. Straightforward text movement. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-06-02T18:16:56Z Jakub Narebski jnareb@gmail.com 2011-06-02T14:55:53Z urn:sha1:560869e32103945f680e0f390fc2062e66b3d04a The build-time configuration variables JSMIN and CSSMIN were mentioned only in Makefile; add their description to gitweb/INSTALL. This required moving description of GITWEB_JS up, near GITWEB_CSS and just introduced CSMIN and JSMIN. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>