Lars, On 2011-04-07, at 03:30, Lars Hjemli wrote:
>> So I have some patches to cgit to respect both the userdiff xfuncname and >> textconv. > > Thanks. The changes looks good, but I'm a bit concerned about textconv > security. Maybe this feature should be disabled by default? Yes, I would suggest that. To clarify, this allows people with repo write access to instruct cgit to run an arbitrary command. So I think I'll look at making it a per-repo setting (also with a global), defaulting to off. Another idea (that I don't like as much): We could restrict textconv values to those in the system-wide git config. I'll try to make some time for this by tomorrow. Jonathon Mah [email protected] _______________________________________________ cgit mailing list [email protected] http://hjemli.net/mailman/listinfo/cgit
