clone: fix directory traversal - cgit-pink

diff options

author	Jason A. Donenfeld <Jason@zx2c4.com>	2018-08-03 15:46:11 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2018-08-03 17:04:03 +0200
commit	53efaf30b50f095cad8c160488c74bba3e3b2680 (patch)
tree	48c0be88bfef03400ddd4b3871baf9de9dbe0b77 /tests/t0108-patch.sh
parent	config: record repo.snapshot-prefix in the per-repo config (diff)
download	cgit-pink-53efaf30b50f095cad8c160488c74bba3e3b2680.tar.gz cgit-pink-53efaf30b50f095cad8c160488c74bba3e3b2680.zip

clone: fix directory traversal

This was introduced in the initial version of this code, way back when
in 2008.

$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
...

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>

Diffstat (limited to 'tests/t0108-patch.sh')

0 files changed, 0 insertions, 0 deletions

/tr> 2020-10-29Remove editJune McEnroe 2020-10-27Switch gr alias back to git rebaseJune McEnroe I always type out git reset and sometimes still expect gr to be rebase... Never got used to it I guess. 2020-10-27Allow cd host: to cd to same path over sshJune McEnroe 2020-10-27Use SendEnv for cd host:pathJune McEnroe Works properly for weird paths, etc. 2020-10-27Allow cd host:path over sshJune McEnroe Requires AcceptEnv SSH_CD in the remote sshd_config. 2020-10-07Use mandoc -T utf8 for text.June McEnroe Don't depend on LANG being set. 2020-09-20Add The Awakened KingdomJune McEnroe A cute extra novella. Finally finished this series. 2020-09-12Move /opt/local back, cheat port select to use system manJune McEnroe This is not really how you're supposed to use the select system, I don't think, since the mandoc package actually creates those files, but it does work. This lets me actually use the git installed by MacPorts. 2020-09-12Move /opt/local behind /usr againJune McEnroe The reason I did this with pkgsrc was because I actually don't want the man(1) from mandoc, since it won't follow MANSECT. Same applies to MacPorts. I wish I could disable its man(1) with a variant or whatever. 2020-09-12Enable toc in cgit renderings of man pagesJune McEnroe But keep it disabled for READMEs since they always use non-standard sections and the TOC is just distracting there, I think. Also add the style so its h1 is the same size as the ones inside sections... 2020-09-11Install mandoc on macOSJune McEnroe 2020-09-11Rewrite install script yet againJune McEnroe 2020-09-11Remove NetBSD from install scriptJune McEnroe I never use it. 2020-09-11Use MacPorts rather than pkgsrcJune McEnroe My system is probably such a mess now... 2020-09-11Add debian VM name to sshJune McEnroe 2020-09-11Add influencer tweetJune McEnroe 2020-09-10Add The Kingdom of GodsJune McEnroe Reading has really slowed down :( 2020-09-07Add SunglassesJune McEnroe An IRC find. 2020-09-06Add Between the BreathsJune McEnroe One of those good songs from a soundtrack of a film that probably isn't? The summary sounds a lot more interesting than the title implies, at least. 2020-09-04Open /dev/tty in nudgeJune McEnroe This makes it work even when it's run connected to a pipe, i.e. as the notify command of catgirl... 2020-09-04Add nudgeJune McEnroe 2020-09-03Build fbclock with -lzJune McEnroe I guess this got lost somewhere, long ago... 2020-08-29Add tweets from retweetsJune McEnroe


context:
space:
mode: