From 257c23d6439a8b7ab3cde9344281f4a3e5614d8c Mon Sep 17 00:00:00 2001 From: Andrew Lorimer Date: Tue, 15 Oct 2019 22:22:54 +1100 Subject: [PATCH] improve error page/httpd logging and file permissions --- gitweb/gitweb.perl | 44 ++++++++++++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 6f6c2e0de7..49ed13b9de 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -5,6 +5,8 @@ # (C) 2005-2006, Kay Sievers # (C) 2005, Christian Gierke # +# Modified by Andrew Lorimer, 2019 +# # This program is licensed under the GPLv2 use 5.008; @@ -14,7 +16,8 @@ use warnings; use filetest 'access'; use CGI qw(:standard :escapeHTML -nosticky); use CGI::Util qw(unescape); -use CGI::Carp qw(fatalsToBrowser set_message); +#use CGI::Carp qw(fatalsToBrowser set_message); +use CGI::Carp qw(set_message); use Encode; use Fcntl ':mode'; use File::Find qw(); @@ -972,7 +975,9 @@ sub evaluate_path_info { while ($project && !check_head_link("$projectroot/$project")) { $project =~ s,/*[^/]*$,,; } - return unless $project; + if (!$project) { + die_error(404, "Project $path_info not found"); + } $input_params{'project'} = $project; # do not change any parameters if an action is given using the query string @@ -1265,7 +1270,7 @@ sub handle_errors_html { # HTTP headers are already written, so it cannot write them itself die_error(undef, undef, $msg, -error_handler => 1, -no_http_header => 1); } -#set_message(\&handle_errors_html); +set_message(\&handle_errors_html); # dispatch sub dispatch { @@ -1318,11 +1323,11 @@ sub run_request { # $projectroot and $projects_list might be set in gitweb config file $projects_list ||= $projectroot; + evaluate_git_dir(); evaluate_query_params(); evaluate_path_info(); evaluate_and_validate_params(); - evaluate_git_dir(); configure_gitweb_features(); @@ -2717,6 +2722,7 @@ sub get_feed_info { # returns path to the core git executable and the --git-dir parameter as list sub git_cmd { $number_of_git_cmds++; + evaluate_git_dir(); return $GIT, '--git-dir='.$git_dir; } @@ -4188,6 +4194,7 @@ sub print_nav_breadcrumbs { print_nav_breadcrumbs_path(@dirname); print $cgi->a({-href => href(action=>"summary")}, esc_html($projectbasename)); if (defined $action) { + $action =~ s/_/ /; my $action_print = $action ; if (defined $opts{-action_extra}) { $action_print = $cgi->a({-href => href(action=>$action)}, @@ -4421,19 +4428,21 @@ sub die_error { 500 => '500 Internal Server Error', 503 => '503 Service Unavailable', ); - git_header_html($http_responses{$status}, undef, %opts); - print <
-$status - $error -
+

$status

+

$error

+ EOF - if (defined $extra) { + if (defined $extra) { print "
\n" . "$extra\n"; } git_footer_html(); - goto DONE_GITWEB + die "$status - $error" unless ($opts{'-error_handler'}); } @@ -7195,18 +7204,24 @@ sub git_blob_plain { my $type = shift; my $expires; + my $base = $hash_base || git_get_head_hash($project); if (!defined $hash) { if (defined $file_name) { - my $base = $hash_base || git_get_head_hash($project); $hash = git_get_hash_by_path($base, $file_name, "blob") or die_error(404, "Cannot find file"); } else { die_error(400, "No file name defined"); } } elsif ($hash =~ m/^$oid_regex$/) { + $file_name = git_get_path_by_hash($base, $hash); # blobs defined by non-textual hash id's can be cached $expires = "+1d"; } + my @treefilter_pattern = gitweb_get_feature('tree_filter'); + if (not $file_name =~ /@treefilter_pattern/) { + die_error(403, "Access denied ($file_name)"); + } + open my $fd, "-|", git_cmd(), "cat-file", "blob", $hash or die_error(500, "Open git-cat-file blob '$hash' failed"); @@ -7256,18 +7271,23 @@ sub git_blob_plain { sub git_blob { my $expires; + my $base = $hash_base || git_get_head_hash($project); if (!defined $hash) { if (defined $file_name) { - my $base = $hash_base || git_get_head_hash($project); $hash = git_get_hash_by_path($base, $file_name, "blob") or die_error(404, "Cannot find file"); } else { die_error(400, "No file name defined"); } } elsif ($hash =~ m/^$oid_regex$/) { + $file_name = git_get_path_by_hash($base, $hash); # blobs defined by non-textual hash id's can be cached $expires = "+1d"; } + my @treefilter_pattern = gitweb_get_feature('tree_filter'); + if (not $file_name =~ /@treefilter_pattern/) { + die_error(403, "Access denied ($file_name)"); + } my $have_blame = gitweb_check_feature('blame'); open my $fd, "-|", git_cmd(), "cat-file", "blob", $hash -- 2.47.1