Hi Kurt,
This issue has now been fixed with CGit v0.9.2:
The announcement may be read here:
http://lists.zx2c4.com/pipermail/cgit/2013-May/001394.html
Jason
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit
On Mon, May 27, 2013 at 2:30 PM, Jan Lieskovsky jlies...@redhat.com wrote:
Can you provide a patch that would apply against v0.9.1 version too? Or
would this be just problem of master branch code?
I could, but you'd be much better off just upgrading to v0.9.2.
Hi Kurt,
As mentioned in early messages to oss-sec, I've inherited
maintainership of the cgit codebase and am gradually auditing it.
Today I found a nasty directory traversal:
http://somehost/?url=/somerepo/about/../../../../etc/passwd
This should be pretty straightforward to categorize.