Fork of git SCM with my patches. http://git.kilabit.info/git/atom?h=gitk-resize-error 2021-09-10T18:46:32Z 2021-09-10T18:46:32Z Junio C Hamano gitster@pobox.com 2021-09-10T18:46:31Z urn:sha1:9762646ee42b775139b4d519d090808cbdd3bdeb Tie-break branches that point at the same object in the list of branches on GitWeb to show the one pointed at by HEAD early. * gh/gitweb-branch-sort: gitweb: use HEAD as secondary sort key in git_get_heads_list() 2021-06-10T00:49:20Z Greg Hurrell greg@hurrell.net 2021-06-09T19:28:06Z urn:sha1:a45e390ad6ad1f26967a40e7771777f70a77d719 The "heads" section on the gitweb summary page shows heads in `-committerdate` order (ie. the most recently-modified ones at the top), tie-breaking equal-dated refs using the implicit `refname` sort fallback. This recency-based ordering appears in multiple places in the UI, such as the project listing, the tags list, and even the shortlog and log views. Given two equal-dated refs, however, sorting the `HEAD` ref before the non-`HEAD` ref provides more useful signal than merely sorting by refname. For example, say we had "master" and "trunk" both pointing at the same commit but "trunk" was `HEAD`, sorting "trunk" first helps communicate its special status as the default branch that you'll check out if you clone the repo. Add `-HEAD` as a secondary sort key to the `git for-each-ref` call in `git_get_heads_list()` to provide the desired behavior. The most recently committed refs will appear first, but `HEAD`-ness will be used as a tie-breaker. Note that `refname` is the implicit fallback sort key, which means that two same-dated non-`HEAD` refs will continue to be sorted in lexicographical order, as they are today. Signed-off-by: Greg Hurrell <greg@hurrell.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2021-04-08T22:54:26Z Georgios Kontaxis geko1702+commits@99rst.org 2021-03-28T23:26:03Z urn:sha1:0996dd3d6dbcc132cf212f3420b89947fd9cc2ba Gitweb extracts content from the Git log and makes it accessible over HTTP. As a result, e-mail addresses found in commits are exposed to web crawlers and they may not respect robots.txt. This can result in unsolicited messages. Introduce an 'email-privacy' feature which redacts e-mail addresses from the generated HTML content. Specifically, obscure addresses retrieved from the the author/committer and comment sections of the Git log. The feature is off by default. This feature does not prevent someone from downloading the unredacted commit log, e.g., by cloning the repository, and extracting information from it. It aims to hinder the low- effort, bulk collection of e-mail addresses by web crawlers. Signed-off-by: Georgios Kontaxis <geko1702+commits@99rst.org> Acked-by: Eric Wong <e@80x24.org> Acked-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2020-05-01T20:39:56Z Junio C Hamano gitster@pobox.com 2020-05-01T20:39:55Z urn:sha1:49349e988318d4bdf89b8c9a03916533bede4b8b Gitweb updates. * eb/gitweb-more-trailers: gitweb: Recognize *-to and Closes/Fixes trailers 2020-04-25T05:19:04Z Emma Brooks me@pluvano.com 2020-04-25T02:17:23Z urn:sha1:4d9378bfad4a283d5e06fbbeba80b5db6be73bc4 Commit trailers like "Thanks-to:", "Fixes:", and "Closes:" are fairly common, but gitweb didn't highlight them like other trailers. Signed-off-by: Emma Brooks <me@pluvano.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2020-03-29T16:06:51Z Julien Moutinho julm+git@sourcephile.fr 2020-03-29T00:20:28Z urn:sha1:2ecfcdecc612505291cfdffb886b5d7615c3e581 FCGI streams are implemented using the older stream API: TIEHANDLE, therefore applying PerlIO layers using binmode() has no effect to them. The solution in this patch is to redefine the FCGI::Stream::PRINT function to use UTF-8 as output encoding, except within git_blob_plain() and git_snapshot() which must still output in raw binary mode. This problem and solution were previously reported back in 2012: - http://git.661346.n2.nabble.com/Gitweb-running-as-FCGI-does-not-print-its-output-in-UTF-8-td7573415.html - http://stackoverflow.com/questions/5005104 Signed-off-by: Julien Moutinho <julm+git@sourcephile.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2020-01-08T20:44:11Z Junio C Hamano gitster@pobox.com 2020-01-08T20:44:11Z urn:sha1:c5dc20638baf54c43092ee676e0692cba954b194 Typofix. * do/gitweb-typofix-in-comments: gitweb: fix a couple spelling errors in comments 2020-01-04T23:09:33Z Denis Ovsienko denis@ovsienko.info 2020-01-04T17:39:26Z urn:sha1:4e2c4c0d4f0e44909a7e38caadbb79ef9534f3e2 Signed-off-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2019-12-01T17:04:41Z Junio C Hamano gitster@pobox.com 2019-12-01T17:04:41Z urn:sha1:6c630f237e72d3adef8a089bdf984ec1e47b2708 Some codepaths in "gitweb" that forgot to escape URLs generated based on end-user input have been corrected. * jk/gitweb-anti-xss: gitweb: escape URLs generated by href() t/gitweb-lib.sh: set $REQUEST_URI t/gitweb-lib.sh: drop confusing quotes t9502: pass along all arguments in xss helper 2019-11-18T01:46:56Z Jeff King peff@peff.net 2019-11-15T09:06:07Z urn:sha1:a376e37b2c418b8f630741552d76a5b18c87c133 There's a cross-site scripting problem in gitweb, where it will print URLs generated by its href() helper without further quoting. This allows an attacker to point a victim to a specially crafted gitweb URL and inject arbitrary HTML into the resulting page (which the victim sees as coming from gitweb). The base of the URL comes from evaluate_uri(), which pulls the value of $REQUEST_URI via the CGI module. It tries to strip off $PATH_INFO, but fails to do so in some cases (including ones that contain special characters, like "+"). Most of the uses of the URL end up being passed to "$cgi->a(-href = href())", which will get quoted properly by the CGI module. But in a few places, we output them ourselves as part of manually-generated HTML, and whatever was in the original URL will appear unquoted in the output. Given that all of the nearby variables placed into this manual HTML _are_ quoted, it seems like the authors assumed that these URLs would not need quoting. So it's possible that the bug is actually in evaluate_uri(), which should be doing a more careful job of stripping $PATH_INFO. There's some discussion in a comment in that function, as well as the commit message in 81d3fe9f48 (gitweb: fix wrong base URL when non-root DirectoryIndex, 2009-02-15). But I'm not sure I understand it. Regardless, it's a good idea to quote these values at the point of insertion into the HTML output: 1. Even if there is a bug in evaluate_uri(), this would give us belt-and-suspenders protection. 2. evaluate_uri() is only handling the base. Some generated URLs will also mention arbitrary refs or filenames in the repositories, and these should be quoted anyway. 3. It should never _hurt_ to quote (and that's what all of the $cgi->a() calls are doing already). So there may be further work here, but this patch at least prevents the XSS vulnerability, and shouldn't make anything worse. The test here covers the calls in print_feed_meta(), but I manually audited every call to href() to see how its output was used, and quoted appropriately. Most of them are esc_attr(), as they're used in tag attributes, but I used esc_html() when the URLs were printed bare. The distinction is largely academic, as one is implemented as a wrapper for the other. Reported-by: NAKAYAMA DAISUKE <nakyamad@icloud.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>