Package: gitolite
Version: 2.0-1
Severity: serious
Tags: patch

Hi,

I'm filing this bug with a severiy of serious as gitolite might present
a git repositories content via gitweb, although the gitweb permission
was removed from the config (or never existed). Don't hesitate to adjust
the severity, but I think it is warranted (and might even be worth a
security tag).


Imagine the following situation:
- you've configured a repository with owner and description and read
  access for gitweb:

  repo foo
        RW      = somebody
        R       = gitweb
  foo "Bar Buzz <[email protected]>" = "yet another description"

- you use the repository and realize that you accidentally shared
  bad[tm] content via gitweb. Therefore you remove gitweb access:

  repo foo
        RW      = somebody
  foo "Bar Buzz <[email protected]>" = "yet another description"

  and push your changes and assume, that your secret stuff is safe now.
  But unfortunately it is not.


Looking at gitolite.pm, line 454/455 it says:
  return ($desc or can_read($repo, 'gitweb'));
        # this return value is used by the caller to write to projects.list

So if there is a description, there will be gitweb access. This is
neither documented in the documentation (at least not on the pages which
talk about the gitweb integration) nor is the reason behind it obvious
to the user. Without R = gitweb I expect that the repository is not
listed in the projects list.

My suggested and untested patch is attached.


Cheers,

Bernd

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -451,7 +451,7 @@ sub setup_gitweb_access
         system("git config --remove-section gitweb 2>/dev/null");
     }
 
-    return ($desc or can_read($repo, 'gitweb'));
+    return can_read($repo, 'gitweb');
         # this return value is used by the caller to write to projects.list
 }
 

Reply via email to