[PATCH v2] Support Git over HTTP using git-http-backend

Lukas Fleischer cgit at cryptocrack.de
Mon Jan 19 18:13:45 CET 2015


On Mon, 19 Jan 2015 at 17:58:15, Jason A. Donenfeld wrote:
> Do we really want to be enabling git-receive-pack? Seems like in its
> present form, this could lead to some unexpected security results...
> 

Not sure. But note that by default, git-receive-pack is not enabled.
From the git-http-backend(1) man page:

    By default, only the upload-pack service is enabled, which serves
    git fetch-pack and git ls-remote clients, which are invoked from git
    fetch, git pull, and git clone. If the client is authenticated, the
    receive-pack service is enabled, which serves git send-pack clients,
    which is invoked from git push.  

> More generally, is this the right approach? Since we're linking against
> git's sources anyway, couldn't any enhanced functionality be included
> within cgit by calling into the right functions in the git source?
> 

Please check my reply to v2 of Florian's patch, almost everything in
http-backend.c is static which makes this difficult. We would need to
convince Junio (the current Git maintainer) to make those functions
public and probably send patches to Git. I would say it is okay to merge
this implementation now and eventually switch to direct function calls.


More information about the CGit mailing list