* [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests
[not found] <1351455531-12208-1-git-send-email-sebastian@breakpoint.cc>
@ 2012-10-28 20:40 ` Jason
2012-10-29 0:33 ` nobody
0 siblings, 1 reply; 5+ messages in thread
From: Jason @ 2012-10-28 20:40 UTC (permalink / raw)
On Sun, Oct 28, 2012 at 2:18 PM, Sebastian Andrzej Siewior
<sebastian at breakpoint.cc> wrote:
> If the snapshots are not enabled then the frontend won't show a link to it.
> The skilled user however may construct the URL on his own and the frontend
> will obey the request.
> This patch adds a check for this case so the requst won't be served.
What's the purpose of this? I kind of like just having tar.xz and zip
enabled on mine, and then for folks who need tar.gz (like for bsd pkg
managers), they can have the other link. That way UI clutter is
minimized while the functionality stays in tact.
"Disabling snapshots" as a security "feature" isn't really so valid either.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests
2012-10-28 20:40 ` [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests Jason
@ 2012-10-29 0:33 ` nobody
0 siblings, 0 replies; 5+ messages in thread
From: nobody @ 2012-10-29 0:33 UTC (permalink / raw)
On 10/28/2012 09:40 PM, Jason A. Donenfeld wrote:
> "Disabling snapshots" as a security "feature" isn't really so valid either.
With snapshots, few requests can easily create a tremendous amount of
system load, rendering the system unusable. (Imagine you have a kernel
repository and someone repeatedly requests a tar.xz for it)
In any case, your use-case seems valid as well.
Maybe one could have a setting for enabling/disabling snapshots
altogether and another setting for the snapshot formats which should be
listed? (we already have the latter)
-Christian
^ permalink raw reply [flat|nested] 5+ messages in thread
* my out-of-tree patches for cgit
@ 2014-01-18 20:24 sebastian
2014-01-18 20:24 ` [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests sebastian
0 siblings, 1 reply; 5+ messages in thread
From: sebastian @ 2014-01-18 20:24 UTC (permalink / raw)
Hi,
just rebased my patches on top of v0.10. This includes the sendfile patch
and a few others while I was at it.
Sebastian
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests
2014-01-18 20:24 my out-of-tree patches for cgit sebastian
@ 2014-01-18 20:24 ` sebastian
2014-02-01 14:54 ` sebastian
0 siblings, 1 reply; 5+ messages in thread
From: sebastian @ 2014-01-18 20:24 UTC (permalink / raw)
If the snapshots are not enabled then the frontend won't show a link to it.
The skilled user however may construct the URL on his own and the frontend
will obey the request.
This patch adds a check for this case so the requst won't be served.
Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
---
ui-snapshot.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ui-snapshot.c b/ui-snapshot.c
index 582dc31..b278ddf 100644
--- a/ui-snapshot.c
+++ b/ui-snapshot.c
@@ -209,6 +209,12 @@ void cgit_print_snapshot(const char *head, const char *hex,
return;
}
+ if (!(f->bit & snapshots)) {
+ show_error(xstrdup(fmt("Snapshot format %s is not enabled.",
+ f->suffix)));
+ return;
+ }
+
if (!hex && dwim) {
hex = get_ref_from_filename(ctx.repo->url, filename, f);
if (hex == NULL) {
--
1.8.5.2
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-02-02 14:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1351455531-12208-1-git-send-email-sebastian@breakpoint.cc>
2012-10-28 20:40 ` [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests Jason
2012-10-29 0:33 ` nobody
2014-01-18 20:24 my out-of-tree patches for cgit sebastian
2014-01-18 20:24 ` [PATCH 1/4] snapshots: Don't allow sneaked in snapshots requests sebastian
2014-02-01 14:54 ` sebastian
2014-02-02 14:49 ` cgit
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).