gitweb: removal of old style blobdiff support breaks ikiwiki

[Joey Hess <joeyh@debian.org>]

[-- Attachment #1: Type: text/plain, Size: 1346 bytes --]

>  * debian/diff/0005-gitweb-do-not-run-git-diff-that-is-Porcelain.diff:
>     new; fix possible gitweb vulnerability: calling "git diff": Jakub
>     says that legacy-style URI to view two blob differences are never
>     generated since 1.4.3.  This codepath runs "git diff" Porcelain from
>     the gitweb, which is a no-no.  It can trigger diff.external command
>     that is specified in the configuration file of the repository being
>     viewed.

Jakub didn't know the whole picture. This change breaks ikiwiki
configurations that use the old url form with gitweb. That url form
is used in configuration examples that have probably been copied into a
lot of ikiwiki setup files.

(Who knows what else might rely on the old url form.. One other thing I've
found that does is various cut-n-pasted gitweb urls embedded on various
websites..)

I wonder if it wouldn't be better to make gitweb continue to support the
old urls, using diff-tree instead of the porcelain?

Gerrit:
I'll be releasing a new version of ikiwiki to that documents how to use
the new gitweb url form. The version in Debian testing would need to
have a new-ish feature backported into it to support the new url form at
all. So please let me know if there are any plans to make this change to
the git in testing (or stable).

-- 
see shy jo

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]