diff options
-rw-r--r-- | 0001-clone-fix-directory-traversal.patch | 62 | ||||
-rw-r--r-- | cgit-0.9.1-highlightv3.patch | 13 | ||||
-rw-r--r-- | cgit.spec | 240 | ||||
-rw-r--r-- | cgitrc | 69 |
4 files changed, 246 insertions, 138 deletions
diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch deleted file mode 100644 index 9f647f2..0000000 --- a/0001-clone-fix-directory-traversal.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Fri, 3 Aug 2018 15:46:11 +0200 -Subject: [PATCH] clone: fix directory traversal - -This was introduced in the initial version of this code, way back when -in 2008. - -$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd -root:x:0:0:root:/root:/bin/sh -... - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> -Reported-by: Jann Horn <jannh@google.com> ---- - ui-clone.c | 23 +++++++++++++++++++---- - 1 file changed, 19 insertions(+), 4 deletions(-) - -diff --git a/ui-clone.c b/ui-clone.c -index 2c1ac3d..6ba8f36 100644 ---- a/ui-clone.c -+++ b/ui-clone.c -@@ -92,17 +92,32 @@ void cgit_clone_info(void) - - void cgit_clone_objects(void) - { -- if (!ctx.qry.path) { -- cgit_print_error_page(400, "Bad request", "Bad request"); -- return; -- } -+ char *p; -+ -+ if (!ctx.qry.path) -+ goto err; - - if (!strcmp(ctx.qry.path, "info/packs")) { - print_pack_info(); - return; - } - -+ /* Avoid directory traversal by forbidding "..", but also work around -+ * other funny business by just specifying a fairly strict format. For -+ * example, now we don't have to stress out about the Cygwin port. -+ */ -+ for (p = ctx.qry.path; *p; ++p) { -+ if (*p == '.' && *(p + 1) == '.') -+ goto err; -+ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') -+ goto err; -+ } -+ - send_file(git_path("objects/%s", ctx.qry.path)); -+ return; -+ -+err: -+ cgit_print_error_page(400, "Bad request", "Bad request"); - } - - void cgit_clone_head(void) --- -2.18.0 - diff --git a/cgit-0.9.1-highlightv3.patch b/cgit-0.9.1-highlightv3.patch deleted file mode 100644 index df06a81..0000000 --- a/cgit-0.9.1-highlightv3.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -Nur cgit-0.9.1.orig/filters/syntax-highlighting.sh cgit-0.9.1/filters/syntax-highlighting.sh ---- cgit-0.9.1.orig/filters/syntax-highlighting.sh 2012-11-14 17:28:59.000000000 -0700 -+++ cgit-0.9.1/filters/syntax-highlighting.sh 2012-11-17 10:47:07.870778180 -0700 -@@ -53,7 +53,7 @@ - # found (for example) on EPEL 6. - # - # This is for version 2 --exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null -+#exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null - - # This is for version 3 --#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null -+exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null @@ -8,62 +8,114 @@ # Please preserve changelog entries # - # Review bug: https://bugzilla.redhat.com/479723 -%global gitver 2.10.2 +# Defaults +%global gitver 2.25.1 %global cachedir %{_localstatedir}/cache/%{name} %global filterdir %{_libexecdir}/%{name}/filters %global scriptdir %{_localstatedir}/www/cgi-bin %global cgitdata %{_datadir}/%{name} -%global syntax_highlight 1 +# GPG signing key fingerprints +%global gpg_cgit AB9942E6D4A4CFC3412620A749FC7012A5DE03AE +%global gpg_git 96E07AF25771955980DAD10020D04E5A713660A7 + +# Disable automatic compilation of *.py files outside of python sitelib, +# the *.py files in cgit are not importable python modules +%global _python_bytecompile_extra 0 + +# Settings for Fedora and EL > 7 +%if 0%{?fedora} || 0%{?rhel} > 7 +%global use_perl_interpreter 1 +%else +%global use_perl_interpreter 0 +%endif -# Temporarily -- in epel-7-ppc64 is not highlight package currently, #1117261 -%if 0%{?rhel} == 7 -%ifarch ppc64 -%global syntax_highlight 0 +# The highlight package is only available in EL7+ on ppc64le and x86_64 +%if 0%{?rhel} >= 7 && ! ( "%{_arch}" == "ppc64le" || "%{_arch}" == "x86_64" ) +%bcond_with highlight +%else +%bcond_without highlight %endif + +# Older epel lacks httpd-filesystem +%if 0%{?fedora} || 0%{?rhel} > 7 +%bcond_without httpd_filesystem +%else +%bcond_with httpd_filesystem %endif Name: cgit -Version: 1.1 -Release: 11%{?dist} +Version: 1.2.3 +Release: 3%{?dist} Summary: A fast web interface for git -Group: Development/Tools License: GPLv2 URL: https://git.zx2c4.com/cgit/ Source0: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz -Source1: https://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz +Source1: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.xz Source2: cgitrc Source3: README.SELinux -# https://git.zx2c4.com/cgit/commit/?id=53efaf30b -Patch0: 0001-clone-fix-directory-traversal.patch +# Jason A. Donenfeld's key is used to sign cgit releases. +#https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc +Source90: gpgkey-%{gpg_cgit}.asc + +# Junio C Hamano's key is used to sign git releases. It can be found in the +# junio-gpg-pub tag within git. +# +# (Note that the tagged blob in git contains a version of the key with an +# expired signing subkey. The subkey expiration has been extended on the +# public keyservers, but the blob in git has not been updated.) +# +# https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub +# https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b +# https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc +Source91: gpgkey-%{gpg_git}.asc + +# Tarball signatures +Source92: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.asc +Source93: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.sign + +# All supported releases use highlight version 3. +Patch0: cgit-0.9.1-highlightv3.patch +# see https://lists.zx2c4.com/pipermail/cgit/2020-August/004508.html +Patch1: cgit-oldtar.patch # Security guys might try to repoquery for this. Provides: bundled(git) = %gitver -%if %{syntax_highlight} -# All supported releases use hightlight version 3. -Patch1: cgit-0.9.1-highlightv3.patch +%if %{with highlight} BuildRequires: highlight %endif BuildRequires: asciidoc BuildRequires: gcc -%if 0%{?fedora} || 0%{?rhel} >= 6 +BuildRequires: gnupg2 BuildRequires: libcurl-devel -%else -BuildRequires: curl-devel -%endif BuildRequires: openssl-devel BuildRequires: lua-devel BuildRequires: make +BuildRequires: zlib-devel -%if 0%{?fedora} -# just to be able to install httpd configuration correctly, FC21+ +# Test dependencies +BuildRequires: gettext +BuildRequires: lzip +%if %{use_perl_interpreter} +BuildRequires: perl-interpreter +%else +BuildRequires: perl +%endif +BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: strace +BuildRequires: tidy +BuildRequires: unzip +BuildRequires: xz +BuildRequires: zstd + +%if %{with httpd_filesystem} +# httpd-filesystem provides the basic apache directory layout Requires: httpd-filesystem %endif Requires: webserver @@ -73,28 +125,47 @@ Requires: webserver Cgit is a fast web interface for git. It uses caching to increase performance. %prep -%setup -q -a 1 -%patch0 -p1 -%if %{syntax_highlight} -%patch1 -p1 -%endif +# Verify GPG signatures +# +# Create a temp dir for gpg to ensure we don't use any existing keyrings or +# configuration +gpghome="$(mktemp -qd)" +# Both cgit and git sign the uncompressed tarballs. Uncompress the sources and +# verify them using the respective signing keys +verify_source() { + local src=$1 key=$2 ext=$3 tar + tar=${src/%.xz/} + xz -dc $src > $tar + gpg2 --dearmor --quiet --batch --yes $key >/dev/null + gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar + rm -f $key.gpg $tar +} +verify_source %{SOURCE0} %{SOURCE90} .asc +verify_source %{SOURCE1} %{SOURCE91} .sign +rm -rf "$gpghome" + +# Ensure a blank line follows autosetup, el6 chokes otherwise +# https://bugzilla.redhat.com/1310704 +%autosetup -a 1 -p1 # setup the git dir rm -rf git mv git-%{gitver} git +# add README.SELinux +cp -p %{SOURCE3} . + # Use the same options for every invocation of 'make'. # Otherwise it will rebuild in %%install due to flags changes. cat << \EOF > cgit.conf V = 1 CFLAGS = %{optflags} LDFLAGS = %{?__global_ldflags} -DESTDIR = %{buildroot} -INSTALL = install -p CACHE_ROOT = %{cachedir} CGIT_SCRIPT_PATH = %{scriptdir} CGIT_SCRIPT_NAME = cgit CGIT_DATA_PATH = %{cgitdata} +COPYTREE = %{__cp} -rp docdir = %{docdir} filterdir = %{filterdir} prefix = %{_prefix} @@ -107,20 +178,17 @@ CFLAGS = %{optflags} LDFLAGS = %{?__global_ldflags} EOF -# I tried to use matchpathcon, but we would need to require -# selinux-policy-targeted probably. +# remove env shebang's from filter scripts +grep -rl '#!.*/env' filters/ | xargs -r sed -Ei 's@^(.+/)env (.+)$@\1\2@' -build_dist=%{?fedora:fedora}%{?rhel:rhel} -build_ver=%{?fedora}%{?rhel} - -cgit_context=git_sys_content_t -sed -e "s|@CGIT_CONTEXT@|$cgit_context|g" \ - %{SOURCE3} > README.SELinux +# remove execute permissions from contrib file +find contrib -type f | xargs -r chmod -x +# default httpd config cat > httpd.conf <<EOF Alias /cgit-data /usr/share/cgit ScriptAlias /cgit /var/www/cgi-bin/cgit -%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 +%if 0%{?fedora} || 0%{?rhel} >= 7 <Directory "/usr/share/cgit"> Require all granted </Directory> @@ -129,32 +197,31 @@ EOF %build -make %{?_smp_mflags} - -# Something in the a2x chain doesn't like running in parallel. :/ -make -j1 doc-man doc-html +%make_build all doc-man doc-html -%if %{syntax_highlight} -# el5 highlight doesn't know --print-style +%if %{with highlight} highlight --print-style --style-outfile=stdout >> cgit.css %endif %install -make DESTDIR=%{buildroot} install install-man +%make_install install install-man install -d -m0755 %{buildroot}%{_sysconfdir}/httpd/conf.d install -p -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/cgitrc install -p -m0644 httpd.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/cgit.conf install -d -m0755 %{buildroot}%{cachedir} +%check +make test + %files -%doc COPYING README* *.html +%doc README* contrib *.html +%license COPYING %config(noreplace) %{_sysconfdir}/cgitrc -%if 0%{?rhel} && 0%{?rhel} <= 7 -# Keep those two httpd-owned directories listed here until httpd-filesystem -# becomes part of EPEL. See rhbz#1138599 for more details. +%if ! %{with httpd_filesystem} +# own httpd config dirs on systems without httpd-filesystem %dir %{_sysconfdir}/httpd %dir %{_sysconfdir}/httpd/conf.d %endif @@ -162,16 +229,71 @@ install -d -m0755 %{buildroot}%{cachedir} %dir %attr(-,apache,root) %{cachedir} %{cgitdata} %{filterdir} +# exclude byte-compiled python files (relevant on Fedora < 29 and RHEL < 8) +%exclude %{filterdir}/*.py[co] %{scriptdir}/* %{_mandir}/man*/* %changelog -* Fri Aug 24 2018 Remi Collet <remi@remirepo.net> - 1.1-11 -- rebuild for remirepo, synced with EPEL-7: +* Mon Dec 14 2020 Remi Collet <remi@remirepo.net> - 1.2.3-3 +- rebuild for remirepo, synced with rawhide +- add patch for EL-8 + +* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Apr 02 2020 Björn Esser <besser82@fedoraproject.org> - 1.2.3-2 +- Fix string quoting for rpm >= 4.16 + +* Sat Mar 14 2020 Todd Zullinger <tmz@pobox.com> - 1.2.3-1 +- update to 1.2.3 + +* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 14 2020 Todd Zullinger <tmz@pobox.com> - 1.2.2-1 +- update to 1.2.2 +- adjust highlight requirement conditional for EL-7+ + +* Fri Aug 02 2019 Todd Zullinger <tmz@pobox.com> - 1.2.1-5 +- add missing zlib-devel BuildRequires, fixes FTBFS (#1737005) + +* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11 -- Fix directory traversal vulnerability +* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Aug 10 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-2 +- use git's default, collision-detecting SHA1 implementation +- verify upstream GPG signatures in %%prep + +* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-1 +- Update to 1.2.1, fixes directory traversal vulnerability + +* Fri Jul 13 2018 Todd Zullinger <tmz@pobox.com> - 1.2-1 +- Update to 1.2 +- Include contrib dir in docs +- Update example cgtirc settings + +* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11 +- disable automatic compilation of *.py files outside of python sitelib +- use %%bcond_(with|without) to toggle highlight +- use %%autosetup macro +- drop crufty curl-devel conditional +- fix parallel make issues in docs +- simplify README.SELinux install +- use %%bcond_(with|without) to handle httpd-filesystem +- avoid libcrypto.so requires +- run test suite in %%check + +* Mon Jun 04 2018 Todd Zullinger <tmz@pobox.com> +- make config: drop redundant DESTDIR/INSTALL, add COPYTREE +- remove env shebang's from filter scripts * Sun Feb 18 2018 Todd Zullinger <tmz@pobox.com> - 1.1-10 - Use https for source URLs @@ -180,6 +302,18 @@ install -d -m0755 %{buildroot}%{cachedir} - Drop obsolete %%{buildroot} cleanup - Add gcc and make BuildRequires +* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 1.1-7 +- Rebuild with binutils fix for ppc64le (#1475636) + +* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Mon Jul 24 2017 Todd Zullinger <tmz@pobox.com> - 1.1-5 - Require webserver on all dists (#1468839) @@ -1,27 +1,39 @@ # -# See cgitrc(5) or /usr/share/doc/cgit-*/cgitrc.5.html for details +# See cgitrc(5) or /usr/share/doc/cgit/cgitrc.5.html for details # # Enable caching of up to 1000 output entries cache-size=1000 # Specify some default clone prefixes -#clone-prefix=git://example.com ssh://example.com/pub/git http://example.com/git +#clone-prefix=git://example.com ssh://example.com/pub/git https://example.com/git # Specify the css url css=/cgit-data/cgit.css +# Show owner on index page +#enable-index-owner=1 + +# Allow http transport git clone +#enable-http-clone=1 + # Show extra links for each repository on the index page -enable-index-links=1 +#enable-index-links=0 + +# Enable blame page and create links to it from tree page +#enable-blame=0 # Enable ASCII art commit history graph on the log pages -enable-commit-graph=1 +#enable-commit-graph=0 # Show number of affected files per commit on the log pages -enable-log-filecount=1 +#enable-log-filecount=0 # Show number of added/removed lines per commit on the log pages -enable-log-linecount=1 +#enable-log-linecount=0 + +# Sort branches by age or name +#branch-sort=name # Add a cgit favicon #favicon=/favicon.ico @@ -29,14 +41,14 @@ enable-log-linecount=1 # Use a custom logo logo=/cgit-data/cgit.png -# Enable statistics per week, month and quarter -max-stats=quarter +# Enable statistics per week, month, quarter, or year +#max-stats= # Set the title and heading of the repository index page -#root-title=example.com git repositories +#root-title=Git Repository Browser # Set a subheading for the repository index page -#root-desc=tracking the foobar development +#root-desc=a fast webinterface for the git dscm # Include some more info about this site on the index page #root-readme=/var/www/html/about.html @@ -59,6 +71,43 @@ mimetype.svg=image/svg+xml # Enable syntax highlighting (requires the highlight package) #source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh +# Format markdown, restructuredtext, manpages, text files, and html files +# through the right converters +#about-filter=/usr/libexec/cgit/filters/about-formatting.sh + +## +## Search for these files in the root of the default branch of repositories +## for coming up with the about page: +## +#readme=:README.md +#readme=:readme.md +#readme=:README.mkd +#readme=:readme.mkd +#readme=:README.rst +#readme=:readme.rst +#readme=:README.html +#readme=:readme.html +#readme=:README.htm +#readme=:readme.htm +#readme=:README.txt +#readme=:readme.txt +#readme=:README +#readme=:readme +#readme=:INSTALL.md +#readme=:install.md +#readme=:INSTALL.mkd +#readme=:install.mkd +#readme=:INSTALL.rst +#readme=:install.rst +#readme=:INSTALL.html +#readme=:install.html +#readme=:INSTALL.htm +#readme=:install.htm +#readme=:INSTALL.txt +#readme=:install.txt +#readme=:INSTALL +#readme=:install + ## ## List of repositories. ## PS: Any repositories listed when section is unset will not be |