|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | 
| 
| 
| | Unrestricts plain/ to contents likely to be executed by browser. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Signed-off-by: Peter Colberg <peter@colberg.org> | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Return HTTP status code 404 Not found when querying a non-existent
repository, which signals to search engines that a repository no
longer exists. Further, some webservers such as nginx permit
logging requests to different files depending on the HTTP code.
Signed-off-by: Peter Colberg <peter@colberg.org> | 
| | 
| 
| 
| | Signed-off-by: Peter Colberg <peter@colberg.org> | 
| | 
| 
| 
| 
| 
| 
| 
| | The ctx.qry.page variable might be unset at this point, e.g. when an
invalid command is passed and cgit_print_pageheader() is called to show
an error message.
Signed-off-by: Lukas Fleischer <lfleischer@lfos.de> | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Update to git version v2.7.0.
* Upstream commit ed1c9977cb1b63e4270ad8bdf967a2d02580aa08 (Remove
  get_object_hash.) changed API:
  Convert all instances of get_object_hash to use an appropriate
  reference to the hash member of the oid member of struct object.
  This provides no functional change, as it is essentially a macro
  substitution.
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| 
| 
| | readfile() can fail if the agefile is not readable. Make sure free()
does not free an ininitialized string.
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.
Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | |  | 
| | 
| 
| 
| | Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | 
| 
| 
| 
| | Coverity-id: 13910
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13945
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13946
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13947
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13944
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13943
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13939
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13940
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13930
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13931
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | 
| 
| 
| | Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13927
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13918
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13929
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| | Coverity-id: 13938
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | 
| 
| 
| 
| 
| 
| 
| | findstring is defined as $(findstring FIND,IN) so if multiple flags are
set these tests do the wrong thing unless $(MAKEFLAGS) is the second
argument.
Signed-off-by: John Keeping <john@keeping.me.uk> | 
| | 
| 
| 
| 
| 
| 
| | There is no way that "tag" can be null here.
Coverity-id: 13950
Signed-off-by: John Keeping <john@keeping.me.uk> | 
| | 
| 
| 
| 
| 
| 
| 
| | We have already called strlen() on "path" by the time we get here, so we
know it can't be null.
Coverity-id: 13954
Signed-off-by: John Keeping <john@keeping.me.uk> | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | parse_configfile() takes a "const char *" and doesn't hold any
references to it after it returns; there is no reason to pass it a
duplicate.
Coverity-id: 13941
Signed-off-by: John Keeping <john@keeping.me.uk> | 
| | 
| 
| 
| 
| 
| 
| 
| | Everywhere else in this function we do not check whether the value is
null and parse_configfile() never passes a null value to this callback.
Coverity-id: 13846
Signed-off-by: John Keeping <john@keeping.me.uk> | 
| | 
| 
| 
| 
| 
| | Update to git version v2.6.1, no changes required.
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | The about page used to display just fine, but images were broken: The
binary image data was embedded in html code.
Use cgit_print_plain() to send images in plain mode and make them
available on about page.
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| 
| 
| | * handle mimetype within a single function
* return allocated memory on success
Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| 
| 
| 
| 
| | The previous commit removed the "pre" field from "struct cgit_cmd" but
forgot to update this macro.
Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de> | 
| | 
| 
| 
| | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> |