aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-01-14ui-blob: always use generic mimetypesJason A. Donenfeld1-6/+4
2016-01-14ui-blob: Do not accept mimetype from userJason A. Donenfeld3-4/+0
2016-01-14ui-shared: prevent malicious filename from injecting headersJason A. Donenfeld3-3/+32
2016-01-14ui-shared: Avoid new line injection into redirect headerJason A. Donenfeld1-1/+3
2016-01-14Fix missing prototype declarationsPeter Colberg6-15/+15
Signed-off-by: Peter Colberg <peter@colberg.org>
2016-01-13ui-repolist: return HTTP 404 if no repositories foundPeter Colberg1-3/+17
Return HTTP status code 404 Not found when querying a non-existent repository, which signals to search engines that a repository no longer exists. Further, some webservers such as nginx permit logging requests to different files depending on the HTTP code. Signed-off-by: Peter Colberg <peter@colberg.org>
2016-01-13ui-repolist: extract repo visibility criteria to separate functionPeter Colberg1-3/+10
Signed-off-by: Peter Colberg <peter@colberg.org>
2016-01-13Fix segmentation fault in hc()Lukas Fleischer1-0/+3
The ctx.qry.page variable might be unset at this point, e.g. when an invalid command is passed and cgit_print_pageheader() is called to show an error message. Signed-off-by: Lukas Fleischer <lfleischer@lfos.de>
2016-01-13git: update to v2.7.0Christian Hesse13-26/+26
Update to git version v2.7.0. * Upstream commit ed1c9977cb1b63e4270ad8bdf967a2d02580aa08 (Remove get_object_hash.) changed API: Convert all instances of get_object_hash to use an appropriate reference to the hash member of the oid member of struct object. This provides no functional change, as it is essentially a macro substitution. Signed-off-by: Christian Hesse <mail@eworm.de>
2016-01-13ui-repolist: initialize char *buf to NULLChristian Hesse1-1/+1
readfile() can fail if the agefile is not readable. Make sure free() does not free an ininitialized string. Signed-off-by: Christian Hesse <mail@eworm.de>
2015-11-24filter: avoid integer overflow in authenticate_postJason A. Donenfeld1-1/+1
ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-11-12about-formatting.sh: comment text out of dateJason A. Donenfeld1-1/+1
2015-10-12filters: port syntax-highlighting.py to python 3.xChristian Hesse1-10/+9
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-12md2html: the default of stdin works fineJason A. Donenfeld1-2/+1
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12filters: misc cleanupsJason A. Donenfeld2-2/+1
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-12md2html: use pure pythonJason A. Donenfeld1-6/+9
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-10cache: fix resource leak: close file handle before returnChristian Hesse1-3/+9
Coverity-id: 13910 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-atom: fix resource leak: free allocation from cgit_pageurlChristian Hesse1-1/+4
Coverity-id: 13945 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-atom: fix resource leak: free before returnChristian Hesse1-1/+2
Coverity-id: 13946 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-atom: fix resource leak: free allocation from cgit_repourlChristian Hesse1-1/+3
Coverity-id: 13947 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-blob: fix resource leak: free before returnChristian Hesse1-0/+1
Coverity-id: 13944 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-10ui-blob: fix resource leak: free before returnChristian Hesse1-0/+1
Coverity-id: 13943 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-plain: fix resource leak: free before assigning NULLChristian Hesse1-1/+3
Coverity-id: 13939 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-plain: fix resource leak: free before returnChristian Hesse1-0/+1
Coverity-id: 13940 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-repolist: fix resource leak: free allocation from cgit_currenturlChristian Hesse1-1/+3
Coverity-id: 13930 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-repolist: fix resource leak: free before returnChristian Hesse1-1/+3
Coverity-id: 13931 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09filters: Simplify convertersJason A. Donenfeld4-1734/+284
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-09ui-shared: fix resource leak: free allocation from cgit_hosturlChristian Hesse1-2/+3
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: return value of cgit_hosturl is not constChristian Hesse2-4/+4
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09cmd: fix resource leak: free allocation from cgit_currenturl and fmtallocChristian Hesse1-3/+7
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: fix resource leak: free allocation from cgit_currenturlChristian Hesse1-3/+8
Coverity-id: 13927 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: return value of cgit_currenturl is not constChristian Hesse2-3/+3
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-shared: fix resource leak: free allocation from cgit_fileurlChristian Hesse1-5/+11
Coverity-id: 13918 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-ssdiff: fix resource leak: free allocation from cgit_fileurlChristian Hesse1-2/+6
Coverity-id: 13929 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09ui-tree: fix resource leak: free before returnChristian Hesse1-0/+1
Coverity-id: 13938 Signed-off-by: Christian Hesse <mail@eworm.de>
2015-10-09Avoid use of non-reentrant functionsJason A. Donenfeld1-3/+3
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-10-09Makefile: fix MAKEFLAGS tests with multiple flagsJohn Keeping1-1/+1
findstring is defined as $(findstring FIND,IN) so if multiple flags are set these tests do the wrong thing unless $(MAKEFLAGS) is the second argument. Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09ui-refs: remove useless null checkJohn Keeping1-1/+1
There is no way that "tag" can be null here. Coverity-id: 13950 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09ui-blob: remove useless null checkJohn Keeping1-1/+1
We have already called strlen() on "path" by the time we get here, so we know it can't be null. Coverity-id: 13954 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09scan-tree: remove useless strdup()John Keeping1-1/+1
parse_configfile() takes a "const char *" and doesn't hold any references to it after it returns; there is no reason to pass it a duplicate. Coverity-id: 13941 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-09cgit.c: remove useless null checkJohn Keeping1-1/+1
Everywhere else in this function we do not check whether the value is null and parse_configfile() never passes a null value to this callback. Coverity-id: 13846 Signed-off-by: John Keeping <john@keeping.me.uk>
2015-10-06git: update to v2.6.1Christian Hesse2-1/+1
Update to git version v2.6.1, no changes required. Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-17mime: rewrite detection functionJason A. Donenfeld1-36/+26
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-08-17ui-summary: send images plain for about pageChristian Hesse1-2/+13
The about page used to display just fine, but images were broken: The binary image data was embedded in html code. Use cgit_print_plain() to send images in plain mode and make them available on about page. Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-17refactor get_mimetype_from_file() to get_mimetype_for_filename()Christian Hesse3-51/+44
* handle mimetype within a single function * return allocated memory on success Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-17move get_mimetype_from_file() to sharedChristian Hesse3-40/+42
Signed-off-by: Christian Hesse <mail@eworm.de>
2015-08-14cmd: fix command definitionJohn Keeping1-1/+1
The previous commit removed the "pre" field from "struct cgit_cmd" but forgot to update this macro. Signed-off-by: John Keeping <john@keeping.me.uk> Reviewed-by: Christian Hesse <mail@eworm.de>
2015-08-14cmd: no need for pre function hook nowJason A. Donenfeld3-20/+9
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2015-08-14ui-shared: cache errors for "dynamic TTL"John Keeping1-0/+1
Most errors we generate are (potentially) transient, such as non-existent object IDs so we don't want them to be cached forever. Signed-off-by: John Keeping <john@keeping.me.uk>
2015-08-14cmd: remove "want_layout" fieldJohn Keeping3-34/+24
No commands use this any more. Signed-off-by: John Keeping <john@keeping.me.uk>