ui-summary: Disallow directory traversal - cgit-pink - web frontend for git

about summary refs log tree commit diff

path: root/README

diff options

author	Jason A. Donenfeld <Jason@zx2c4.com>	2013-05-25 19:47:15 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2013-05-25 20:33:28 +0200
commit	fe36f84d843cd755c6dab629a0758264de5bcc00 (patch)
tree	fee8af2ed0f3df2fa9015453ce3e8d721df6a0cd /README
parent	cgitrc.5: information on directory traversal and multiple readme files (diff)
download	cgit-pink-fe36f84d843cd755c6dab629a0758264de5bcc00.tar.gz cgit-pink-fe36f84d843cd755c6dab629a0758264de5bcc00.zip

ui-summary: Disallow directory traversal

Using the url= query string, it was possible request arbitrary files
from the filesystem if the readme for a given page was set to a
filesystem file. The following request would return my /etc/passwd file:

http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
http://data.zx2c4.com/cgit-directory-traversal.png

This fix uses realpath(3) to canonicalize all paths, and then compares
the base components.

This fix introduces a subtle timing attack, whereby a client can check
whether or not strstr is called using timing measurements in order
to determine if a given file exists on the filesystem.

This fix also does not account for filesystem race conditions (TOCTOU)
in resolving symlinks.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Diffstat (limited to 'README')

0 files changed, 0 insertions, 0 deletions

tr> I do not ever want to use this feature. 2021-02-09Add pbcopy, pbpaste, open dispatch scriptsJune McEnroe 2021-02-09Use flags for pbd client behaviourJune McEnroe 2021-02-08Add macOS-like copy and paste to xtermJune McEnroe 2021-02-08Only update clock script every minuteJune McEnroe 2021-02-08Use 4M- for window resizing in cwmJune McEnroe 2021-02-08Tweak trackpad scaling, mouse accelerationJune McEnroe This feels more comfortable. 2021-02-08Use xsel in up and add it do install.shJune McEnroe 2021-02-07Swap root window coloursJune McEnroe 2021-02-07Add -X flag to install X stuff on OpenBSDJune McEnroe 2021-02-07Adjust brightness by smaller incrementsJune McEnroe 2021-02-07Fix cwm window cycling, move big by defaultJune McEnroe 2021-02-07Use class names for Foreground, Background, BorderColorJune McEnroe I'm not really sure what difference this makes, but it seems like the right thing to do to be generic? 2021-02-07Add simple battery status and clock to xsessionJune McEnroe I love how simple this is. 2021-02-07Set cursor theme and sizeJune McEnroe 2021-02-07Use scrot for up -s if no screencaptureJune McEnroe Still missing putting the URL in an X selection. 2021-02-07Enable mouse acceleration in XJune McEnroe 2021-02-07Set colours for Xt and cwmJune McEnroe And increase XTerm internalBorder. 2021-02-07Set urgency on bell in xtermJune McEnroe 2021-02-07Add bindings for brightness controlJune McEnroe Weirdly the Fn key doesn't change how the F row registers... I wonder if I can do something about that. 2021-02-07Set X key repeat rateJune McEnroe 2021-02-07Bump font size to 12June McEnroe 11 is what I use on macOS, but I feel like my eyes are working harder here. 2021-02-07Fully configure and rebind cwmJune McEnroe This is sort of a mix of trying to emulate macOS somewhat for my muscle memory and just rebinding some of the cwm defaults to use 4- rather than M-. 2021-02-07Add BintiJune McEnroe 2021-02-07Finish configuring xtermJune McEnroe 2021-02-06Enable tapping, reverse scroll, set scaling in wsconsctlJune McEnroe 2021-02-06Set root window to black on purple snowJune McEnroe 2021-02-06Add xmodmap configurationJune McEnroe 2021-02-06Add initial OpenBSD X configurationJune McEnroe cwm still needs a lot more rebinding, and I need to actually look at its other options. xterm definitely still needs some configuration, but I at least managed to get it to use a decent looking font. Very happy that OpenBSD includes Luxi Mono, which is what my usual font, Go Mono, is based on anyway. Still missing is xmodmap and such. 2021-02-06Add xterm output to schemeJune McEnroe