Hi,
On Wednesday 15 January 2014 02:02:13 Jason A. Donenfeld wrote:
While still a horrendous mess, I've begun work adding authentication
support, using our nice new lua filter system.
A sample script looks like this [at the moment]:
On Wed, Jan 15, 2014 at 10:28 AM, Peter Wu lekenst...@gmail.com wrote:
The script is vulnerable to header injection:
$ curl -i http://git.zx2c4.com/login -H 'Referer: x%0d\nX: 1' \
-d 'username=1; path%3d/password=%0aY: 2'
HTTP/1.1 302 Redirect
Server: ZX2C4 Web Server
Date: Wed, 15 Jan
Username: jason
Password: secretpassword
___
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit
On Wed, Jan 15, 2014 at 7:29 PM, Jason A. Donenfeld ja...@zx2c4.com wrote:
On Wed, Jan 15, 2014 at 7:17 PM, Peter Wu lekenst...@gmail.com wrote:
The current login page is cachable, you should add Cache-Control: private
to
prevent that.
Excellent idea.
I've added no-cache, no-store to the