Your message dated Mon, 27 Jun 2011 11:07:49 +0200
with message-id <20110627090749.ga1...@anguilla.debian.or.at>
and subject line Re: Bug#630748: gitolite: always gives access to gitweb if a
description is in the configuration
has caused the Debian Bug report #630748,
regarding gitolite: always gives access to gitweb if a description is in the
configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
630748: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630748
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gitolite
Version: 2.0-1
Severity: serious
Tags: patch
Hi,
I'm filing this bug with a severiy of serious as gitolite might present
a git repositories content via gitweb, although the gitweb permission
was removed from the config (or never existed). Don't hesitate to adjust
the severity, but I think it is warranted (and might even be worth a
security tag).
Imagine the following situation:
- you've configured a repository with owner and description and read
access for gitweb:
repo foo
RW = somebody
R = gitweb
foo "Bar Buzz <b...@example.com>" = "yet another description"
- you use the repository and realize that you accidentally shared
bad[tm] content via gitweb. Therefore you remove gitweb access:
repo foo
RW = somebody
foo "Bar Buzz <b...@example.com>" = "yet another description"
and push your changes and assume, that your secret stuff is safe now.
But unfortunately it is not.
Looking at gitolite.pm, line 454/455 it says:
return ($desc or can_read($repo, 'gitweb'));
# this return value is used by the caller to write to projects.list
So if there is a description, there will be gitweb access. This is
neither documented in the documentation (at least not on the pages which
talk about the gitweb integration) nor is the reason behind it obvious
to the user. Without R = gitweb I expect that the repository is not
listed in the projects list.
My suggested and untested patch is attached.
Cheers,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -451,7 +451,7 @@ sub setup_gitweb_access
system("git config --remove-section gitweb 2>/dev/null");
}
- return ($desc or can_read($repo, 'gitweb'));
+ return can_read($repo, 'gitweb');
# this return value is used by the caller to write to projects.list
}
--- End Message ---
--- Begin Message ---
* Bernd Zeimetz <be...@bzed.de> [2011-06-16 23:37:24 CEST]:
> I'm filing this bug with a severiy of serious as gitolite might present
> a git repositories content via gitweb, although the gitweb permission
> was removed from the config (or never existed). Don't hesitate to adjust
> the severity, but I think it is warranted (and might even be worth a
> security tag).
>
>
> Imagine the following situation:
> - you've configured a repository with owner and description and read
> access for gitweb:
>
> repo foo
> RW = somebody
> R = gitweb
> foo "Bar Buzz <b...@example.com>" = "yet another description"
>
> - you use the repository and realize that you accidentally shared
> bad[tm] content via gitweb. Therefore you remove gitweb access:
>
> repo foo
> RW = somebody
> foo "Bar Buzz <b...@example.com>" = "yet another description"
>
> and push your changes and assume, that your secret stuff is safe now.
> But unfortunately it is not.
>
>
> Looking at gitolite.pm, line 454/455 it says:
> return ($desc or can_read($repo, 'gitweb'));
> # this return value is used by the caller to write to projects.list
>
> So if there is a description, there will be gitweb access. This is
> neither documented in the documentation (at least not on the pages which
> talk about the gitweb integration) nor is the reason behind it obvious
> to the user. Without R = gitweb I expect that the repository is not
> listed in the projects list.
Actually, this _is_ documented in the place where the special gitweb
account is handled, and thus intentional:
,------------------------------> quote <------------------------------
| However, setting a description for the project also enables gitweb
| permissions so you can do it that way if you want.
`------------------------------> quote <------------------------------
http://sitaramc.github.com/gitolite/doc/2-admin.html#_specifying_gitweb_and_daemon_access
This is a feature used by various people, and breaking this feature for
them won't gain much here. If you could elaborate where in the
documentation you have looked for the hint or how to document it more
prominently, please drop suggestions along that lines.
Thanks,
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
--- End Message ---
