diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2026-05-04 19:13:13 +0300 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2026-05-04 19:28:27 +0300 |
| commit | ed05b1054df10a2fbc68000cfdd429daec03a456 (patch) | |
| tree | 21563e3f6537e7db4b26c446edc4d9b1f8cfbccc /cgit.h | |
| parent | e7e8cf1801b06a9f7f5092671b0413689a765fe7 (diff) | |
cgit: truncate all config values at the newline
These would be largely invalid anyway (save, I suppose, for Linux file
paths that technically can contain new lines).
The actual problem is that these get printed back out into cached -- and
trusted -- cgitrc files, and if the fields have newlines, the git-config
way of less trusted users configuring repos on a shared system can be
abused to inject newlines, which then can be used to smuggle global
options (including filters, which execute code) into the cached cgitrc.
So now, only ever duplicate up to the newline, when dealing with these
inputs.
Reported-by: Adrian Denkiewicz <adrian@doyensec.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'cgit.h')
| -rw-r--r-- | cgit.h | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -393,7 +393,9 @@ extern void cgit_init_filters(void); extern void cgit_prepare_repo_env(struct cgit_repo * repo); -extern int readfile(const char *path, char **buf, size_t *size); +extern int read_first_line(const char *path, char **buf, size_t *size); + +extern char *strdup_first_line(const char *txt); extern char *expand_macros(const char *txt); |