ls_cache should be disallowed by default

[Konstantin Ryabitsev]

Hello:

I was surprised to find out that anyone can call ls_cache and view the
contents of the cache directory, including the full path to each cache file.
Since an attacker can also control the cache content, either via query
string parameters, or by pushing contents into a repository served by cgit,
this can aide someone in delivering a payload that can be executed via some
other vulnerability.

Can this functionality be disabled by default and only available if
cache-allow-ls (or something similar) is set in cgitrc?

-K