Am 08.03.2017 um 13:30 schrieb John Keeping: > On Wed, Mar 08, 2017 at 12:38:38PM +0100, MonkZ wrote: >> Am 07.03.2017 um 00:35 schrieb John Keeping: >>> We can't reliably follow the link because there is no guarantee that the >>> target lies within the repository and I don't know what we would output >>> for the case where we can't display the target. >> >> INADH (I'm not a dev here) >> >> I would recommend to continue ignoring it or returning the blob, because >> following symlinks (internally) might result - if not done carefully - >> in directory traversal security issues. Maybe resolving a symlink to a >> HTTP301 could work. >> >> For the UI there might be a html-link (in a notification box "This is a >> symlink that points to ...") to the symlink-destination below or above >> the blob, to get a user via click to a file/directory. > > We're talking about the "plain" UI here (for example [0]), so we don't > have anywhere to put additional content and it has to be something > basic. Of course. It would be handled like a content-rewrite to return a http301.
Pseudocode:
handle_symlinks = True # new config item
if this_file_is_a_symlink and symlink_is_relative and handle_symlinks:
if plain_ui:
# rewrite blob to http301
# by attaching the path to the end of current basedir
# cgit is already able to handle ../ in a path
if !plain_ui:
# show blob
# show notification that this is a symlink
# show a link to a url
# like the one that would be used in plain_ui
>
> I'm not actually too worried about directory traversal if we were to try
> following links because we're looking things up in a Git tree at a
> particular commit and not on the filesystem. A bigger concern would be
> whether the internals of Git do anything bad (like invalid memory
> access) if we give the tree traversal machinery a path that goes up out
> of the repository; I doubt it but I have not checked.
If we use url-rewrites (and let the http-client care about getting the
correct file or directory), this would be a non-issue.
MfG
MonkZ
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CGit mailing list CGit@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/cgit
