From c69f9f6c1bc18b718a8c8deb11934cca19929e02 Mon Sep 17 00:00:00 2001 From: bptato Date: Sun, 30 Jun 2024 21:52:01 +0200 Subject: git.cgi: use forms it's safer this way --- bonus/git.cgi | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'bonus/git.cgi') diff --git a/bonus/git.cgi b/bonus/git.cgi index 29390d74..a60193ed 100755 --- a/bonus/git.cgi +++ b/bonus/git.cgi @@ -31,7 +31,8 @@ for (const p of std.getenv("QUERY_STRING").split('&')) { } function startGitCmd(config, params) { - std.out.puts("Content-Type: text/html\n\n"); + std.out.puts("Content-Type: text/html\n\n" + + ""); std.out.flush(); const [read_fd, write_fd] = os.pipe(); const [read_fd2, write_fd2] = os.pipe(); @@ -75,15 +76,23 @@ const cgi4 = `${cgi0}¶ms=stash%20apply`; if (params[0] == "log") { runGitCmd(config, params, /[a-f0-9]{40}/g, x => `${x}`) -} else if (params[0] == "branch" && params.length == 1) { +} else if (params[0] == "branch" && (params.length == 1 || + params.length == 2 && params[1] == "--list")) { runGitCmd(config, params, /^(\s+)([\w.-]+)$/g, (_, ws, name) => `${ws}${name}\ - (switch)`); +
`); } else if (params[0] == "stash" && params[1] == "list") { runGitCmd(config, params, /^stash@\{([0-9]+)\}/g, (s, n) => `stash@{${n}}\ - (apply)`); +
`); } else { + const safeForGet = ["show", "diff", "blame", "status"]; + if (std.getenv("REQUEST_METHOD") != "POST" && + !safeForGet.includes(params[0])) { + std.out.puts(`Content-Type: text/plain\n\nnot allowed`); + std.out.flush(); + std.exit(1); + } const title = encodeURIComponent('git ' + params.join(' ')); std.out.puts(`Content-Type: text/x-ansi;title=${title}\n\n`); std.out.flush(); -- cgit 1.4.1-2-gfad0