summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--0001-clone-fix-directory-traversal.patch62
-rw-r--r--cgit-0.9.1-highlightv3.patch13
-rw-r--r--cgit.spec240
-rw-r--r--cgitrc69
4 files changed, 246 insertions, 138 deletions
diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch
deleted file mode 100644
index 9f647f2..0000000
--- a/0001-clone-fix-directory-traversal.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Fri, 3 Aug 2018 15:46:11 +0200
-Subject: [PATCH] clone: fix directory traversal
-
-This was introduced in the initial version of this code, way back when
-in 2008.
-
-$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
-root:x:0:0:root:/root:/bin/sh
-...
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Reported-by: Jann Horn <jannh@google.com>
----
- ui-clone.c | 23 +++++++++++++++++++----
- 1 file changed, 19 insertions(+), 4 deletions(-)
-
-diff --git a/ui-clone.c b/ui-clone.c
-index 2c1ac3d..6ba8f36 100644
---- a/ui-clone.c
-+++ b/ui-clone.c
-@@ -92,17 +92,32 @@ void cgit_clone_info(void)
-
- void cgit_clone_objects(void)
- {
-- if (!ctx.qry.path) {
-- cgit_print_error_page(400, "Bad request", "Bad request");
-- return;
-- }
-+ char *p;
-+
-+ if (!ctx.qry.path)
-+ goto err;
-
- if (!strcmp(ctx.qry.path, "info/packs")) {
- print_pack_info();
- return;
- }
-
-+ /* Avoid directory traversal by forbidding "..", but also work around
-+ * other funny business by just specifying a fairly strict format. For
-+ * example, now we don't have to stress out about the Cygwin port.
-+ */
-+ for (p = ctx.qry.path; *p; ++p) {
-+ if (*p == '.' && *(p + 1) == '.')
-+ goto err;
-+ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
-+ goto err;
-+ }
-+
- send_file(git_path("objects/%s", ctx.qry.path));
-+ return;
-+
-+err:
-+ cgit_print_error_page(400, "Bad request", "Bad request");
- }
-
- void cgit_clone_head(void)
---
-2.18.0
-
diff --git a/cgit-0.9.1-highlightv3.patch b/cgit-0.9.1-highlightv3.patch
deleted file mode 100644
index df06a81..0000000
--- a/cgit-0.9.1-highlightv3.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -Nur cgit-0.9.1.orig/filters/syntax-highlighting.sh cgit-0.9.1/filters/syntax-highlighting.sh
---- cgit-0.9.1.orig/filters/syntax-highlighting.sh 2012-11-14 17:28:59.000000000 -0700
-+++ cgit-0.9.1/filters/syntax-highlighting.sh 2012-11-17 10:47:07.870778180 -0700
-@@ -53,7 +53,7 @@
- # found (for example) on EPEL 6.
- #
- # This is for version 2
--exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
-+#exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
-
- # This is for version 3
--#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null
-+exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null
diff --git a/cgit.spec b/cgit.spec
index 6a66d71..035daf0 100644
--- a/cgit.spec
+++ b/cgit.spec
@@ -8,62 +8,114 @@
# Please preserve changelog entries
#
-
# Review bug: https://bugzilla.redhat.com/479723
-%global gitver 2.10.2
+# Defaults
+%global gitver 2.25.1
%global cachedir %{_localstatedir}/cache/%{name}
%global filterdir %{_libexecdir}/%{name}/filters
%global scriptdir %{_localstatedir}/www/cgi-bin
%global cgitdata %{_datadir}/%{name}
-%global syntax_highlight 1
+# GPG signing key fingerprints
+%global gpg_cgit AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
+%global gpg_git 96E07AF25771955980DAD10020D04E5A713660A7
+
+# Disable automatic compilation of *.py files outside of python sitelib,
+# the *.py files in cgit are not importable python modules
+%global _python_bytecompile_extra 0
+
+# Settings for Fedora and EL > 7
+%if 0%{?fedora} || 0%{?rhel} > 7
+%global use_perl_interpreter 1
+%else
+%global use_perl_interpreter 0
+%endif
-# Temporarily -- in epel-7-ppc64 is not highlight package currently, #1117261
-%if 0%{?rhel} == 7
-%ifarch ppc64
-%global syntax_highlight 0
+# The highlight package is only available in EL7+ on ppc64le and x86_64
+%if 0%{?rhel} >= 7 && ! ( "%{_arch}" == "ppc64le" || "%{_arch}" == "x86_64" )
+%bcond_with highlight
+%else
+%bcond_without highlight
%endif
+
+# Older epel lacks httpd-filesystem
+%if 0%{?fedora} || 0%{?rhel} > 7
+%bcond_without httpd_filesystem
+%else
+%bcond_with httpd_filesystem
%endif
Name: cgit
-Version: 1.1
-Release: 11%{?dist}
+Version: 1.2.3
+Release: 3%{?dist}
Summary: A fast web interface for git
-Group: Development/Tools
License: GPLv2
URL: https://git.zx2c4.com/cgit/
Source0: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz
-Source1: https://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz
+Source1: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.xz
Source2: cgitrc
Source3: README.SELinux
-# https://git.zx2c4.com/cgit/commit/?id=53efaf30b
-Patch0: 0001-clone-fix-directory-traversal.patch
+# Jason A. Donenfeld's key is used to sign cgit releases.
+#https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc
+Source90: gpgkey-%{gpg_cgit}.asc
+
+# Junio C Hamano's key is used to sign git releases. It can be found in the
+# junio-gpg-pub tag within git.
+#
+# (Note that the tagged blob in git contains a version of the key with an
+# expired signing subkey. The subkey expiration has been extended on the
+# public keyservers, but the blob in git has not been updated.)
+#
+# https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub
+# https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b
+# https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc
+Source91: gpgkey-%{gpg_git}.asc
+
+# Tarball signatures
+Source92: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.asc
+Source93: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.sign
+
+# All supported releases use highlight version 3.
+Patch0: cgit-0.9.1-highlightv3.patch
+# see https://lists.zx2c4.com/pipermail/cgit/2020-August/004508.html
+Patch1: cgit-oldtar.patch
# Security guys might try to repoquery for this.
Provides: bundled(git) = %gitver
-%if %{syntax_highlight}
-# All supported releases use hightlight version 3.
-Patch1: cgit-0.9.1-highlightv3.patch
+%if %{with highlight}
BuildRequires: highlight
%endif
BuildRequires: asciidoc
BuildRequires: gcc
-%if 0%{?fedora} || 0%{?rhel} >= 6
+BuildRequires: gnupg2
BuildRequires: libcurl-devel
-%else
-BuildRequires: curl-devel
-%endif
BuildRequires: openssl-devel
BuildRequires: lua-devel
BuildRequires: make
+BuildRequires: zlib-devel
-%if 0%{?fedora}
-# just to be able to install httpd configuration correctly, FC21+
+# Test dependencies
+BuildRequires: gettext
+BuildRequires: lzip
+%if %{use_perl_interpreter}
+BuildRequires: perl-interpreter
+%else
+BuildRequires: perl
+%endif
+BuildRequires: perl(ExtUtils::MakeMaker)
+BuildRequires: strace
+BuildRequires: tidy
+BuildRequires: unzip
+BuildRequires: xz
+BuildRequires: zstd
+
+%if %{with httpd_filesystem}
+# httpd-filesystem provides the basic apache directory layout
Requires: httpd-filesystem
%endif
Requires: webserver
@@ -73,28 +125,47 @@ Requires: webserver
Cgit is a fast web interface for git. It uses caching to increase performance.
%prep
-%setup -q -a 1
-%patch0 -p1
-%if %{syntax_highlight}
-%patch1 -p1
-%endif
+# Verify GPG signatures
+#
+# Create a temp dir for gpg to ensure we don't use any existing keyrings or
+# configuration
+gpghome="$(mktemp -qd)"
+# Both cgit and git sign the uncompressed tarballs. Uncompress the sources and
+# verify them using the respective signing keys
+verify_source() {
+ local src=$1 key=$2 ext=$3 tar
+ tar=${src/%.xz/}
+ xz -dc $src > $tar
+ gpg2 --dearmor --quiet --batch --yes $key >/dev/null
+ gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar
+ rm -f $key.gpg $tar
+}
+verify_source %{SOURCE0} %{SOURCE90} .asc
+verify_source %{SOURCE1} %{SOURCE91} .sign
+rm -rf "$gpghome"
+
+# Ensure a blank line follows autosetup, el6 chokes otherwise
+# https://bugzilla.redhat.com/1310704
+%autosetup -a 1 -p1
# setup the git dir
rm -rf git
mv git-%{gitver} git
+# add README.SELinux
+cp -p %{SOURCE3} .
+
# Use the same options for every invocation of 'make'.
# Otherwise it will rebuild in %%install due to flags changes.
cat << \EOF > cgit.conf
V = 1
CFLAGS = %{optflags}
LDFLAGS = %{?__global_ldflags}
-DESTDIR = %{buildroot}
-INSTALL = install -p
CACHE_ROOT = %{cachedir}
CGIT_SCRIPT_PATH = %{scriptdir}
CGIT_SCRIPT_NAME = cgit
CGIT_DATA_PATH = %{cgitdata}
+COPYTREE = %{__cp} -rp
docdir = %{docdir}
filterdir = %{filterdir}
prefix = %{_prefix}
@@ -107,20 +178,17 @@ CFLAGS = %{optflags}
LDFLAGS = %{?__global_ldflags}
EOF
-# I tried to use matchpathcon, but we would need to require
-# selinux-policy-targeted probably.
+# remove env shebang's from filter scripts
+grep -rl '#!.*/env' filters/ | xargs -r sed -Ei 's@^(.+/)env (.+)$@\1\2@'
-build_dist=%{?fedora:fedora}%{?rhel:rhel}
-build_ver=%{?fedora}%{?rhel}
-
-cgit_context=git_sys_content_t
-sed -e "s|@CGIT_CONTEXT@|$cgit_context|g" \
- %{SOURCE3} > README.SELinux
+# remove execute permissions from contrib file
+find contrib -type f | xargs -r chmod -x
+# default httpd config
cat > httpd.conf <<EOF
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
-%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
+%if 0%{?fedora} || 0%{?rhel} >= 7
<Directory "/usr/share/cgit">
Require all granted
</Directory>
@@ -129,32 +197,31 @@ EOF
%build
-make %{?_smp_mflags}
-
-# Something in the a2x chain doesn't like running in parallel. :/
-make -j1 doc-man doc-html
+%make_build all doc-man doc-html
-%if %{syntax_highlight}
-# el5 highlight doesn't know --print-style
+%if %{with highlight}
highlight --print-style --style-outfile=stdout >> cgit.css
%endif
%install
-make DESTDIR=%{buildroot} install install-man
+%make_install install install-man
install -d -m0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
install -p -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/cgitrc
install -p -m0644 httpd.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/cgit.conf
install -d -m0755 %{buildroot}%{cachedir}
+%check
+make test
+
%files
-%doc COPYING README* *.html
+%doc README* contrib *.html
+%license COPYING
%config(noreplace) %{_sysconfdir}/cgitrc
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# Keep those two httpd-owned directories listed here until httpd-filesystem
-# becomes part of EPEL. See rhbz#1138599 for more details.
+%if ! %{with httpd_filesystem}
+# own httpd config dirs on systems without httpd-filesystem
%dir %{_sysconfdir}/httpd
%dir %{_sysconfdir}/httpd/conf.d
%endif
@@ -162,16 +229,71 @@ install -d -m0755 %{buildroot}%{cachedir}
%dir %attr(-,apache,root) %{cachedir}
%{cgitdata}
%{filterdir}
+# exclude byte-compiled python files (relevant on Fedora < 29 and RHEL < 8)
+%exclude %{filterdir}/*.py[co]
%{scriptdir}/*
%{_mandir}/man*/*
%changelog
-* Fri Aug 24 2018 Remi Collet <remi@remirepo.net> - 1.1-11
-- rebuild for remirepo, synced with EPEL-7:
+* Mon Dec 14 2020 Remi Collet <remi@remirepo.net> - 1.2.3-3
+- rebuild for remirepo, synced with rawhide
+- add patch for EL-8
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Apr 02 2020 Björn Esser <besser82@fedoraproject.org> - 1.2.3-2
+- Fix string quoting for rpm >= 4.16
+
+* Sat Mar 14 2020 Todd Zullinger <tmz@pobox.com> - 1.2.3-1
+- update to 1.2.3
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 14 2020 Todd Zullinger <tmz@pobox.com> - 1.2.2-1
+- update to 1.2.2
+- adjust highlight requirement conditional for EL-7+
+
+* Fri Aug 02 2019 Todd Zullinger <tmz@pobox.com> - 1.2.1-5
+- add missing zlib-devel BuildRequires, fixes FTBFS (#1737005)
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11
-- Fix directory traversal vulnerability
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Aug 10 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-2
+- use git's default, collision-detecting SHA1 implementation
+- verify upstream GPG signatures in %%prep
+
+* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-1
+- Update to 1.2.1, fixes directory traversal vulnerability
+
+* Fri Jul 13 2018 Todd Zullinger <tmz@pobox.com> - 1.2-1
+- Update to 1.2
+- Include contrib dir in docs
+- Update example cgtirc settings
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11
+- disable automatic compilation of *.py files outside of python sitelib
+- use %%bcond_(with|without) to toggle highlight
+- use %%autosetup macro
+- drop crufty curl-devel conditional
+- fix parallel make issues in docs
+- simplify README.SELinux install
+- use %%bcond_(with|without) to handle httpd-filesystem
+- avoid libcrypto.so requires
+- run test suite in %%check
+
+* Mon Jun 04 2018 Todd Zullinger <tmz@pobox.com>
+- make config: drop redundant DESTDIR/INSTALL, add COPYTREE
+- remove env shebang's from filter scripts
* Sun Feb 18 2018 Todd Zullinger <tmz@pobox.com> - 1.1-10
- Use https for source URLs
@@ -180,6 +302,18 @@ install -d -m0755 %{buildroot}%{cachedir}
- Drop obsolete %%{buildroot} cleanup
- Add gcc and make BuildRequires
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 1.1-7
+- Rebuild with binutils fix for ppc64le (#1475636)
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
* Mon Jul 24 2017 Todd Zullinger <tmz@pobox.com> - 1.1-5
- Require webserver on all dists (#1468839)
diff --git a/cgitrc b/cgitrc
index 23b6b86..3770c3d 100644
--- a/cgitrc
+++ b/cgitrc
@@ -1,27 +1,39 @@
#
-# See cgitrc(5) or /usr/share/doc/cgit-*/cgitrc.5.html for details
+# See cgitrc(5) or /usr/share/doc/cgit/cgitrc.5.html for details
#
# Enable caching of up to 1000 output entries
cache-size=1000
# Specify some default clone prefixes
-#clone-prefix=git://example.com ssh://example.com/pub/git http://example.com/git
+#clone-prefix=git://example.com ssh://example.com/pub/git https://example.com/git
# Specify the css url
css=/cgit-data/cgit.css
+# Show owner on index page
+#enable-index-owner=1
+
+# Allow http transport git clone
+#enable-http-clone=1
+
# Show extra links for each repository on the index page
-enable-index-links=1
+#enable-index-links=0
+
+# Enable blame page and create links to it from tree page
+#enable-blame=0
# Enable ASCII art commit history graph on the log pages
-enable-commit-graph=1
+#enable-commit-graph=0
# Show number of affected files per commit on the log pages
-enable-log-filecount=1
+#enable-log-filecount=0
# Show number of added/removed lines per commit on the log pages
-enable-log-linecount=1
+#enable-log-linecount=0
+
+# Sort branches by age or name
+#branch-sort=name
# Add a cgit favicon
#favicon=/favicon.ico
@@ -29,14 +41,14 @@ enable-log-linecount=1
# Use a custom logo
logo=/cgit-data/cgit.png
-# Enable statistics per week, month and quarter
-max-stats=quarter
+# Enable statistics per week, month, quarter, or year
+#max-stats=
# Set the title and heading of the repository index page
-#root-title=example.com git repositories
+#root-title=Git Repository Browser
# Set a subheading for the repository index page
-#root-desc=tracking the foobar development
+#root-desc=a fast webinterface for the git dscm
# Include some more info about this site on the index page
#root-readme=/var/www/html/about.html
@@ -59,6 +71,43 @@ mimetype.svg=image/svg+xml
# Enable syntax highlighting (requires the highlight package)
#source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh
+# Format markdown, restructuredtext, manpages, text files, and html files
+# through the right converters
+#about-filter=/usr/libexec/cgit/filters/about-formatting.sh
+
+##
+## Search for these files in the root of the default branch of repositories
+## for coming up with the about page:
+##
+#readme=:README.md
+#readme=:readme.md
+#readme=:README.mkd
+#readme=:readme.mkd
+#readme=:README.rst
+#readme=:readme.rst
+#readme=:README.html
+#readme=:readme.html
+#readme=:README.htm
+#readme=:readme.htm
+#readme=:README.txt
+#readme=:readme.txt
+#readme=:README
+#readme=:readme
+#readme=:INSTALL.md
+#readme=:install.md
+#readme=:INSTALL.mkd
+#readme=:install.mkd
+#readme=:INSTALL.rst
+#readme=:install.rst
+#readme=:INSTALL.html
+#readme=:install.html
+#readme=:INSTALL.htm
+#readme=:install.htm
+#readme=:INSTALL.txt
+#readme=:install.txt
+#readme=:INSTALL
+#readme=:install
+
##
## List of repositories.
## PS: Any repositories listed when section is unset will not be