Package: gitolite
Version: 2.0-1
Severity: serious
Tags: patch
Hi,
I'm filing this bug with a severiy of serious as gitolite might present
a git repositories content via gitweb, although the gitweb permission
was removed from the config (or never existed). Don't hesitate to adjust
the severity, but I think it is warranted (and might even be worth a
security tag).
Imagine the following situation:
- you've configured a repository with owner and description and read
access for gitweb:
repo foo
RW = somebody
R = gitweb
foo "Bar Buzz <[email protected]>" = "yet another description"
- you use the repository and realize that you accidentally shared
bad[tm] content via gitweb. Therefore you remove gitweb access:
repo foo
RW = somebody
foo "Bar Buzz <[email protected]>" = "yet another description"
and push your changes and assume, that your secret stuff is safe now.
But unfortunately it is not.
Looking at gitolite.pm, line 454/455 it says:
return ($desc or can_read($repo, 'gitweb'));
# this return value is used by the caller to write to projects.list
So if there is a description, there will be gitweb access. This is
neither documented in the documentation (at least not on the pages which
talk about the gitweb integration) nor is the reason behind it obvious
to the user. Without R = gitweb I expect that the repository is not
listed in the projects list.
My suggested and untested patch is attached.
Cheers,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -451,7 +451,7 @@ sub setup_gitweb_access
system("git config --remove-section gitweb 2>/dev/null");
}
- return ($desc or can_read($repo, 'gitweb'));
+ return can_read($repo, 'gitweb');
# this return value is used by the caller to write to projects.list
}