On Jan 16, 2014, at 14:02, Jason A. Donenfeld wrote:
On Thu, Jan 16, 2014 at 2:46 PM, Kyle J. McKay
wrote:
And we use this hook:
$owner_link_hook =
sub { url_path($Girocco::Config::webadmurl).
"/projlist.cgi?name=".md5_hex($_[0]); };
Well, that wound up being totally trivial,
There were no comments about this after I posted this seven months ago, so
I'm going to merge this, pending no objections.
On May 26, 2013 4:36 PM, "Jason A. Donenfeld" wrote:
>
> Hello,
>
> I'm considering a cosmetic change that may be controversial.
>
> If the about tab is enabled, then it's be
On Thu, Jan 16, 2014 at 11:20 PM, John Keeping wrote:
> At once (as in in parallel), or without needing to fork for every
> request? I think that many requests serially in the same process is a
> much more likely scenario (that's what FastCGI does); in that case all
> we need to do is clean up af
On Thu, Jan 16, 2014 at 10:36:34PM +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 16, 2014 at 10:34 PM, John Keeping wrote:
> >
> > I'm not sure it makes much difference either way. Even if we use
> > libgit2, providing we're not processing more than one request at once we
> > can still use a glo
Signed-off-by: Jason A. Donenfeld
---
** MAYBE THIS WON'T BE MERGED **
This is super simple and seems like a no brainer but...
As an alternative to this, we could pretty easily pipe the
owner through the "email-filter", even though the owner name isn't
associated with an email address.
What do
On Thu, Jan 16, 2014 at 2:46 PM, Kyle J. McKay wrote:
> And we use this hook:
>
> $owner_link_hook =
> sub { url_path($Girocco::Config::webadmurl).
> "/projlist.cgi?name=".md5_hex($_[0]); };
>
Well, that wound up being totally trivial, and a logical thing to have
by default anyway
On Thu, Jan 16, 2014 at 10:34 PM, John Keeping wrote:
>
> I'm not sure it makes much difference either way. Even if we use
> libgit2, providing we're not processing more than one request at once we
> can still use a global cgit_context.
Well, the idea of moving to libgit2, in the first place, wo
On Thu, Jan 16, 2014 at 10:26:08PM +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 16, 2014 at 10:21 PM, John Keeping wrote:
> > The first step in this direction may actually be useful even if we stick
> > with embedding libgit.a.
>
> So what do you think ought to be done with the global-ctx patch
On Thu, Jan 16, 2014 at 10:21 PM, John Keeping wrote:
> The first step in this direction may actually be useful even if we stick
> with embedding libgit.a.
So what do you think ought to be done with the global-ctx patch? Merge
it, and then refactor afterward (whenever we "step in this
direction")
On Thu, Jan 16, 2014 at 07:38:02PM +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 16, 2014 at 2:08 PM, John Keeping wrote:
> >
> > I had a look at porting to libgit2 about a year ago and it mostly isn't
> > too bad. IIRC the only problematic area is the graph output which we
> > currently get fro
On Thu, Jan 16, 2014 at 2:08 PM, John Keeping wrote:
>
> I had a look at porting to libgit2 about a year ago and it mostly isn't
> too bad. IIRC the only problematic area is the graph output which we
> currently get from libgit.a but would have to do ourselves if we switch
> to libgit2.
Are ther
On Jan 16, 2014, at 03:18, Jason A. Donenfeld wrote:
On Thu, Jan 16, 2014 at 4:28 AM, Kyle J. McKay
wrote:
Looking at the new docs for this [4] I don't see an option to
filter owners.
I see that the owner is passed in as "CGIT_REPO_OWNER", but I don't
see an
opportunity to produce the owner
On Thu, Jan 16, 2014 at 12:31:15PM +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 16, 2014 at 11:47 AM, Eric Wong wrote:
> > Lars Hjemli wrote:
> >> Supporting something like FCGI in cgit will require a fork(2) for each
> >> request, before invoking libgit.a functions, since these functions are
>
Hi guys,
Over at cgit [1] we use Lua for our authentication framework [2]. One
thing we're doing wrong is lines like these:
if password == post["password"] then
Since an attacker can control the post params, this test is vulnerable
to a timing attack, by which an attacker could determine
Hi guys,
We're getting close to release time. Here's what I'm hoping for
between now and then:
- Review lua
- Review authentication filter
- Write tests for authentication filter
- Implement time invariant string compare function in lua for
simple-authentication.lua
- Potentially merge or reject
On Thu, Jan 16, 2014 at 11:47 AM, Eric Wong wrote:
> Lars Hjemli wrote:
>> Supporting something like FCGI in cgit will require a fork(2) for each
>> request, before invoking libgit.a functions, since these functions are
>> not generally reentrant (they tend to use global state and/or
>> inconveni
On Thu, Jan 16, 2014 at 4:28 AM, Kyle J. McKay wrote:
> On repo.or.cz I've hooked up project owner to a link that shows a list of
> all projects owned by the same person.
>
> So, for example, the owner name is passed in and you end up getting back
> links like [1] and [2]. (You can see where this
On Wed, Jan 15, 2014 at 10:28 AM, Peter Wu wrote:
> While the referrer part may not be that easily spoofable
Note that as of b826537 we no longer rely on the referer and instead
use a hidden html form with a secured value. This also doubles as CSRF
protection.
Lars Hjemli wrote:
> On Thu, Jan 16, 2014 at 2:00 AM, Jason A. Donenfeld wrote:
> > On Thu, Jan 16, 2014 at 1:59 AM, Eric Wong wrote:
> >> This. I prefer we keep passing around the ctx variable to keep the code
> >> more flexible for future reuse. Of course, IIRC git itself has this
> >> limit
On Thu, Jan 16, 2014 at 2:00 AM, Jason A. Donenfeld wrote:
> On Thu, Jan 16, 2014 at 1:59 AM, Eric Wong wrote:
>> This. I prefer we keep passing around the ctx variable to keep the code
>> more flexible for future reuse. Of course, IIRC git itself has this
>> limitation, too...
>
> Can anyone c
20 matches
Mail list logo