ls_cache should be disallowed by default

Konstantin Ryabitsev konstantin at
Thu May 23 12:57:33 UTC 2024


I was surprised to find out that anyone can call ls_cache and view the
contents of the cache directory, including the full path to each cache file.
Since an attacker can also control the cache content, either via query
string parameters, or by pushing contents into a repository served by cgit,
this can aide someone in delivering a payload that can be executed via some
other vulnerability.

Can this functionality be disabled by default and only available if
cache-allow-ls (or something similar) is set in cgitrc?


More information about the CGit mailing list