Pull request: Use userdiff configuration
Jonathon Mah
me at jonathonmah.com
Thu Apr 7 12:39:41 CEST 2011
Lars,
On 2011-04-07, at 03:30, Lars Hjemli wrote:
>> So I have some patches to cgit to respect both the userdiff xfuncname and
>> textconv.
>
> Thanks. The changes looks good, but I'm a bit concerned about textconv
> security. Maybe this feature should be disabled by default?
Yes, I would suggest that. To clarify, this allows people with repo write access to instruct cgit to run an arbitrary command.
So I think I'll look at making it a per-repo setting (also with a global), defaulting to off. Another idea (that I don't like as much): We could restrict textconv values to those in the system-wide git config.
I'll try to make some time for this by tomorrow.
Jonathon Mah
me at JonathonMah.com
More information about the CGit
mailing list