* gitweb bug: Existence if hidden repositories is leaked
@ 2012-10-09 9:28 Ralf Jung
0 siblings, 0 replies; only message in thread
From: Ralf Jung @ 2012-10-09 9:28 UTC (permalink / raw)
To: git
Hi list,
I am using gitweb, git-daemon and gitolite on my Debian Squeeze server.
I have some repositories however that I do not want to be available to
the public (currently, that is gitolite-admin only). Those repositories
do not have a "git-daemon-export-ok" file, and the gitweb config contains
# path to git projects (<project>.git)
$projectroot = "/home/git/repositories";
# only show repos which allow daemon access
$export_ok = "git-daemon-export-ok";
I am also using pathinfo to get prettier URLs. However, if I now try to
access gitolite-admin.git in the browser, I get "404 Project Not Found".
If I try to access some repository which dos not actually exist, I am
redirected to the project index. This way, the existence of hidden
repositories is disclosed.
The problem is in the function evaluate_path_info which uses
check_head_link to find out which part of the URL is the project.
Replacing this by check_export_ok fixes the problem.
Kind regards,
Ralf
PS: Please keep me in CC, I am not subscribed.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-10-09 9:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-09 9:28 gitweb bug: Existence if hidden repositories is leaked Ralf Jung
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.