Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain. Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.
The XSS prevention is currently off by default.
Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
One had to configure gitweb for it to find static files (stylesheets,
images) when using path_info URLs. Now that it is not necessary
thanks to adding BASE element to HTML head if needed, update README to
reflect this fact.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Document some possible Apache configurations when the path_info feature
is enabled in gitweb.
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Acked-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Update and extend information about $projects_list file format in
gitweb/README and in gitweb/INSTALL.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Also add a few more hints for how to setup and configure gitweb as described
[jc: with a fix from Mike Hommey]
Signed-off-by: Junio C Hamano <gitster@pobox.com>
From a distribution point of view, configuration files for applications
should reside in /etc/. On the other hand it's convenient for multiple
instances of gitweb (e.g. virtual web servers on a single machine) to have
a per-instance configuration file, just as gitweb currently supports
through the file gitweb_config.perl next to the cgi.
To support both at runtime, this commit introduces GITWEB_CONFIG_SYSTEM as
a system-wide configuration file which will be used as a fallback if the
config file sprecified throug GITWEB_CONFIG does not exist.
See also
http://bugs.debian.org/450592
Signed-off-by: Gerrit Pape <pape@smarden.org>
Acked-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Now gitweb checks if gitweb.owner exists before trying to get filesystem's
owner.
Allow to use configuration variable gitweb.owner set the repository owner,
it checks the gitweb.owner, if not set it uses filesystem directory's owner.
Useful when we don't want to maintain project list file, and all
repository directories have to have the same owner (for example when the
same SSH account is shared for all projects, using ssh_acl to control
access instead).
Signed-off-by: Bruno Ribas <ribas@c3sl.ufpr.br>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Those two configuration variables are important enough that it is
worth to explicitely write about them in the "Gitweb config file
variables" section even if they are usually set during build by
GITWEB_PROJECTROOT and GITWEB_LIST build (Makefile) configuration
variables.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Update list of build configuration variables, add references
to gitweb/INSTALL, add description of runtime and per-repository
runtime configuration.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This uses "git-apply --whitespace=strip" to fix whitespace errors that have
crept in to our source files over time. There are a few files that need
to have trailing whitespaces (most notably, test vectors). The results
still passes the test, and build result in Documentation/ area is unchanged.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
* mw/pathinfo:
gitweb: Fix search form when PATH_INFO is enabled
gitweb: Document features better
gitweb: warn if feature cannot be overridden.
gitweb: start to generate PATH_INFO URLs.
Conflicts:
gitweb/README
This expands gitweb/README to talk some more about GITWEB_CONFIG, moves
feature-specific documentation in gitweb.cgi to the inside of the %features
array, and adds some short description of all the features.
Signed-off-by: Petr Baudis <pasky@suse.cz>
Signed-off-by: Junio C Hamano <junkio@cox.net>
Add a small apache configuration which shows how to use apache
to put gitweb and GIT repositories at the same URL.
Signed-off-by: Martin Waitz <tali@admingilde.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
With this patch it is possible to use gitweb.perl for developing by
loading the configuration from $GITWEB_CONFIG. This might also be
useful for normal usage of gitweb.
Example:
% cat cfg
$GIT = '/usr/bin/git';
$projectroot = '/home/matled/src/git';
$projects_list = '/home/matled/src/git/git/gitweb/list';
% cat run
#!/bin/sh
export GATEWAY_INTERFACE="CGI/1.1"
export HTTP_ACCEPT="*/*"
export REQUEST_METHOD="GET"
export GITWEB_CONFIG='./cfg'
export QUERY_STRING=""$1""
exec ./gitweb.perl
% time ./run p=git/.git > /dev/null
This makes it easy to check for warnings and do performance tests
after changes, you can also pipe this to lynx -dump -force-html
/dev/stdin to get more than just html.
This also documents the original patch adding require $GITWEB_CONFIG.
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
Use the normal web server instead of the CGI to provide the git logo,
just like the gitweb.css.
Signed-off-by: Martin Waitz <tali@admingilde.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
Generate gitweb/gitweb.cgi to reduce the need to patch gitweb.cgi
by the end user. The GIT installation directory is already known
by the Makefile, and can be inserted directly into gitweb.
All other gitweb configuration parameters can now be specified by
providing GITWEB_* variables while building GIT. These are described
in gitweb/README.
Signed-off-by: Martin Waitz <tali@admingilde.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>