cgit and symlinks

John Keeping john at keeping.me.uk
Wed Mar 8 13:30:21 CET 2017


On Wed, Mar 08, 2017 at 12:38:38PM +0100, MonkZ wrote:
> Am 07.03.2017 um 00:35 schrieb John Keeping:
> > We can't reliably follow the link because there is no guarantee that the
> > target lies within the repository and I don't know what we would output
> > for the case where we can't display the target.
> 
> INADH (I'm not a dev here)
> 
> I would recommend to continue ignoring it or returning the blob, because
> following symlinks (internally) might result -  if not done carefully -
> in directory traversal security issues. Maybe resolving a symlink to a
> HTTP301 could work.
> 
> For the UI there might be a html-link (in a notification box "This is a
> symlink that points to ...") to the symlink-destination below or above
> the blob, to get a user via click to a file/directory.

We're talking about the "plain" UI here (for example [0]), so we don't
have anywhere to put additional content and it has to be something
basic.

I'm not actually too worried about directory traversal if we were to try
following links because we're looking things up in a Git tree at a
particular commit and not on the filesystem.  A bigger concern would be
whether the internals of Git do anything bad (like invalid memory
access) if we give the tree traversal machinery a path that goes up out
of the repository; I doubt it but I have not checked.

[0] https://git.zx2c4.com/cgit/plain/README


More information about the CGit mailing list