From mboxrd@z Thu Jan 1 00:00:00 1970 From: i at monkz.de (MonkZ) Date: Wed, 8 Mar 2017 12:38:38 +0100 Subject: cgit and symlinks In-Reply-To: <20170306233525.GD2102@john.keeping.me.uk> References: <08c0a64a-7df9-9b24-f40e-87eea9d53f77@schinagl.nl> <20170306233525.GD2102@john.keeping.me.uk> Message-ID: <5435925d-c258-4196-ce9b-d08348593624@monkz.de> Am 07.03.2017 um 00:35 schrieb John Keeping: > We can't reliably follow the link because there is no guarantee that the > target lies within the repository and I don't know what we would output > for the case where we can't display the target. INADH (I'm not a dev here) I would recommend to continue ignoring it or returning the blob, because following symlinks (internally) might result - if not done carefully - in directory traversal security issues. Maybe resolving a symlink to a HTTP301 could work. For the UI there might be a html-link (in a notification box "This is a symlink that points to ...") to the symlink-destination below or above the blob, to get a user via click to a file/directory. Regards, MonkZ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: