* gitweb: removal of old style blobdiff support breaks ikiwiki
@ 2009-01-05 23:54 Joey Hess
2009-01-06 0:25 ` Jeff King
0 siblings, 1 reply; 2+ messages in thread
From: Joey Hess @ 2009-01-05 23:54 UTC (permalink / raw)
To: Gerrit Pape; +Cc: git
[-- Attachment #1: Type: text/plain, Size: 1346 bytes --]
> * debian/diff/0005-gitweb-do-not-run-git-diff-that-is-Porcelain.diff:
> new; fix possible gitweb vulnerability: calling "git diff": Jakub
> says that legacy-style URI to view two blob differences are never
> generated since 1.4.3. This codepath runs "git diff" Porcelain from
> the gitweb, which is a no-no. It can trigger diff.external command
> that is specified in the configuration file of the repository being
> viewed.
Jakub didn't know the whole picture. This change breaks ikiwiki
configurations that use the old url form with gitweb. That url form
is used in configuration examples that have probably been copied into a
lot of ikiwiki setup files.
(Who knows what else might rely on the old url form.. One other thing I've
found that does is various cut-n-pasted gitweb urls embedded on various
websites..)
I wonder if it wouldn't be better to make gitweb continue to support the
old urls, using diff-tree instead of the porcelain?
Gerrit:
I'll be releasing a new version of ikiwiki to that documents how to use
the new gitweb url form. The version in Debian testing would need to
have a new-ish feature backported into it to support the new url form at
all. So please let me know if there are any plans to make this change to
the git in testing (or stable).
--
see shy jo
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: gitweb: removal of old style blobdiff support breaks ikiwiki
2009-01-05 23:54 gitweb: removal of old style blobdiff support breaks ikiwiki Joey Hess
@ 2009-01-06 0:25 ` Jeff King
0 siblings, 0 replies; 2+ messages in thread
From: Jeff King @ 2009-01-06 0:25 UTC (permalink / raw)
To: Joey Hess; +Cc: Gerrit Pape, git
On Mon, Jan 05, 2009 at 06:54:18PM -0500, Joey Hess wrote:
> I wonder if it wouldn't be better to make gitweb continue to support the
> old urls, using diff-tree instead of the porcelain?
It can't; there is currently no interface for diffing two arbitrary
blobs except "git diff". The simplest fix to retain functionality but
plug the hole is to pass --no-ext-diff to all versions, and
--no-textconv to versions which have textconv (i.e., 1.6.1 and later).
IIRC, there is a problem with --no-ext-diff in some versions, so that
fix might have to be backported, too.
-Peff
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-01-06 0:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-05 23:54 gitweb: removal of old style blobdiff support breaks ikiwiki Joey Hess
2009-01-06 0:25 ` Jeff King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).