nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-15 09:51:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/plinth/modules/gitweb/data/etc/apache2/conf-available/gitweb-freedombox.conf
Sunil Mohan Adapa 3001099cda
gitweb: Fix issue with elevated access to private repositories 
When using git-http-backend, both URLs ending with and without .git are allowed.
However, access restriction has only be applied for URLs ending with .git. This
means that private git repositories are clone-able by anonymous users by
removing the .git suffix in the URLs.

Fix the issue by extending the access restriction to cover URLs not ending with
.git.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
2019-10-19 19:14:04 -07:00

74 lines
2.8 KiB
Plaintext
Raw Blame History

##
## On all sites, enable gitweb web interface. Also enable git-http-backend on
## when performing upload/receive operations on the URL.
##
## Requires the following Apache modules to be enabled:
## mod_cgi or mod_cgid
## mod_rewrite
##
# Make gitweb work with custom FreedomBox configuration.
SetEnv GITWEB_CONFIG /etc/gitweb-freedombox.conf
# Configure git-http-backend to work with our repository path.
SetEnv GIT_PROJECT_ROOT /var/lib/git
# Tell git-http-backend to work with all the projects even when they don't have
# the file 'git-daemon-export-ok'.
SetEnv GIT_HTTP_EXPORT_ALL
# All git operations are handled by git-http-backend CGI script. Rest of the
# HTTP requests (say sent by the browser) are handled by gitweb.
ScriptAliasMatch \
"(?x)^/gitweb/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
/usr/lib/git-core/git-http-backend/$1
Alias /gitweb /usr/share/gitweb
<Directory /usr/share/gitweb>
<If "%{HTTP_COOKIE} =~ /auth_pubtkt=.*tokens.*(admin|git-access)/">
Include includes/freedombox-single-sign-on.conf
<IfModule mod_auth_pubtkt.c>
TKTAuthToken "git-access" "admin"
</IfModule>
</If>
# Allow index.cgi symlink to gitweb.cgi to work. Treat gitweb.cgi as CGI
# script and execute it.
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
# Allow files in /usr/share/gitweb/static/ to be served directly by Apache.
# Pass every other URL as argument to gitweb.cgi to enable short and clean
# URLs.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.* /gitweb/gitweb.cgi/$0 [L,PT]
</Directory>
<Directory /usr/lib/git-core/>
# Authentication is required when performing git push (git send-pack).
SetEnvIfExpr "%{QUERY_STRING} =~ /service=git-receive-pack/" AUTHREQUIRED
SetEnvIfExpr "%{REQUEST_URI} =~ /git-receive-pack$/" AUTHREQUIRED
# Authentication is required for any operation if repository is private.
SetEnvIfExpr "%{REQUEST_URI} =~ m#^/gitweb/([^/]+)# && ( -f '/var/lib/git/$1/private' || -f '/var/lib/git/$1.git/private' )" AUTHREQUIRED
# Either authentication is not required for this operation and repository
# combination, or...
<RequireAll>
Require all granted
Require not env AUTHREQUIRED
</RequireAll>
# ...user belongs to admin or git-access groups, with basic auth via LDAP.
Include includes/freedombox-auth-ldap.conf
Require ldap-group cn=admin,ou=groups,dc=thisbox
Require ldap-group cn=git-access,ou=groups,dc=thisbox
</Directory>
Reference in New Issue View Git Blame Copy Permalink