On Wed, Jan 15, 2014 at 10:28 AM, Peter Wu wrote:
> While the referrer part may not be that easily spoofable
Note that as of b826537 we no longer rely on the referer and instead
use a hidden html form with a secured value. This also doubles as CSRF
protection.
On Wed, Jan 15, 2014 at 7:29 PM, Jason A. Donenfeld wrote:
> On Wed, Jan 15, 2014 at 7:17 PM, Peter Wu wrote:
>> The current login page is cachable, you should add "Cache-Control: private"
>> to
>> prevent that.
>
> Excellent idea.
I've added no-cache, no-store to the login page and the redirec
On Wed, Jan 15, 2014 at 7:17 PM, Peter Wu wrote:
> Aside from storing passwords in plaintext, I see no other obvious issues.
I'm not too keen on this either. Care to submit a patch against
jd/authentication that does a crypt() / mkpasswd salted hash
situation? Does luacrypto support this? Investi
On Wednesday 15 January 2014 14:42:12 Jason A. Donenfeld wrote:
> > An important consideration is caching. Adding the Set-Cookie header
> > disables
> > caching for nginx at least, but other authenticated requests can still be
> > cached.
>
> Not completely though. I've taken careful precaution to
Username: jason
Password: secretpassword
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit
On Wed, Jan 15, 2014 at 10:28 AM, Peter Wu wrote:
>
> The script is vulnerable to header injection:
>
> $ curl -i http://git.zx2c4.com/login -H 'Referer: x%0d\nX: 1' \
> -d 'username=1; path%3d/&password=%0aY: 2'
> HTTP/1.1 302 Redirect
> Server: ZX2C4 Web Server
> Date: Wed, 15 Jan 2014 08:54:0
Hi,
On Wednesday 15 January 2014 02:02:13 Jason A. Donenfeld wrote:
> While still a horrendous mess, I've begun work adding authentication
> support, using our nice new lua filter system.
>
> A sample script looks like this [at the moment]:
>
> http://git.zx2c4.com/cgit/tree/filters/simple-authe
Hi folks,
While still a horrendous mess, I've begun work adding authentication
support, using our nice new lua filter system.
A sample script looks like this [at the moment]:
http://git.zx2c4.com/cgit/tree/filters/simple-authentication.lua?h=jd/authentication
The full commit of this attrocity l
