Re: [PATCH 4/n] gitweb: Secure against commit-ish/tree-ish with the same name as path

[Jakub Narebski <jnareb@gmail.com>]

Junio C Hamano wrote:
> 
> To be honest, I dislike these */n series where the the end is
> unknown.  It just confuses me what's still surviving, what's
> already shot down, and what's being rerolled.

Well, it looks like this patch series is closing to final patch.
The "New improved patchset view" is done.
 
> Let's step back a bit and see if we share the same view as to
> the status of each one:
> 
> [PATCH/RFC 1/n] gitweb: Better git-unquoting and gitweb-quoting of p...
> 
> Marked preliminary, perhaps need some discussion and rerolling
> but I haven't looked at it.

I'm not sure if without this patch (well, the unquote part) gitweb
can work with filenames which git quotes using escape sequences,
like ", \, LF, TAB. Former version didn't unquote fully, and it
passed partially unquoted filename to git.

> [PATCH 2/n] gitweb: Use '&iquot;' instead of '?' in esc_path
> 
> Discussed; we agreed that showing byte values in different
> colors is preferable.  Waiting for re-roll.

The problem with using text color or background color is that
the filenames tends to be shown with different color and background
color: "tree" view, parts of difftree, parts of diff header, etc.
Perhaps text-decoration: overline;? Just kidding...

> [PATCH 3/n] gitweb: Use 's' regexp modifier to secure against filena...
> 
> I looked at it although haven't said anything yet.  Probably a
> safe and good change but I wonder how LF at the end of the line
> matches /...(.+)$/s pattern; iow, if we do not use -z does it
> still do the right thing?  Otherwise I suspect you would perhaps
> need to chomp?

We always pass chomped lines. First chunk is unnecessary (we care only
for type), without second "tree" view look strange for files with
embedded newline in filename.

> [PATCH 4/n] gitweb: Secure against commit-ish/tree-ish with the same...
> 
> Good fix and even improves readability; will apply after
> dropping -- from ls-tree args.

As I said, noticed while testing gitweb with strange filenames
in 'gitweb/test' branch.

> [PATCH 5/n] [take 3] gitweb: New improved patchset view
> [PATCH 6/n] gitweb: Remove redundant "blob" links from git_difftree_...
> [PATCH 7/n] gitweb: Output also empty patches in "commitdiff" view
> [PATCH 8/n] gitweb: Fix two issues with quoted filenames in git_patc...
> 
> Haven't looked at them and I do not think people have had enough
> time to comment on them yet.

Well, patch 5 and 8 could be collapsed.

-- 
Jakub Narebski