]> git.cameronkatri.com Git - cgit.git/blob - ui-summary.c
git.ckatri.com / cgit.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ui-summary: Disallow directory traversal
[cgit.git] / ui-summary.c
1 /* ui-summary.c: functions for generating repo summary page
2 *
3 * Copyright (C) 2006 Lars Hjemli
4 * Copyright (C) 2010 Jason A. Donenfeld <Jason@zx2c4.com>
5 *
6 * Licensed under GNU General Public License v2
7 * (see COPYING for full license text)
8 */
9
10 #include "cgit.h"
11 #include "ui-summary.h"
12 #include "html.h"
13 #include "ui-log.h"
14 #include "ui-refs.h"
15 #include "ui-blob.h"
16
17 static void print_url(char *base, char *suffix)
18 {
19 int columns = 3;
20 struct strbuf basebuf = STRBUF_INIT;
21
22 if (ctx.repo->enable_log_filecount)
23 columns++;
24 if (ctx.repo->enable_log_linecount)
25 columns++;
26
27 if (!base || !*base)
28 return;
29 if (suffix && *suffix) {
30 strbuf_addf(&basebuf, "%s/%s", base, suffix);
31 base = basebuf.buf;
32 }
33 htmlf("<tr><td colspan='%d'><a href='", columns);
34 html_url_path(base);
35 html("'>");
36 html_txt(base);
37 html("</a></td></tr>\n");
38 strbuf_release(&basebuf);
39 }
40
41 static void print_urls(char *txt, char *suffix)
42 {
43 char *h = txt, *t, c;
44 int urls = 0;
45 int columns = 3;
46
47 if (ctx.repo->enable_log_filecount)
48 columns++;
49 if (ctx.repo->enable_log_linecount)
50 columns++;
51
52
53 while (h && *h) {
54 while (h && *h == ' ')
55 h++;
56 if (!*h)
57 break;
58 t = h;
59 while (t && *t && *t != ' ')
60 t++;
61 c = *t;
62 *t = 0;
63 if (urls++ == 0) {
64 htmlf("<tr class='nohover'><td colspan='%d'>&nbsp;</td></tr>", columns);
65 htmlf("<tr><th class='left' colspan='%d'>Clone</th></tr>\n", columns);
66 }
67 print_url(h, suffix);
68 *t = c;
69 h = t;
70 }
71 }
72
73 void cgit_print_summary()
74 {
75 int columns = 3;
76
77 if (ctx.repo->enable_log_filecount)
78 columns++;
79 if (ctx.repo->enable_log_linecount)
80 columns++;
81
82 html("<table summary='repository info' class='list nowrap'>");
83 cgit_print_branches(ctx.cfg.summary_branches);
84 htmlf("<tr class='nohover'><td colspan='%d'>&nbsp;</td></tr>", columns);
85 cgit_print_tags(ctx.cfg.summary_tags);
86 if (ctx.cfg.summary_log > 0) {
87 htmlf("<tr class='nohover'><td colspan='%d'>&nbsp;</td></tr>", columns);
88 cgit_print_log(ctx.qry.head, 0, ctx.cfg.summary_log, NULL,
89 NULL, NULL, 0, 0, 0);
90 }
91 if (ctx.repo->clone_url)
92 print_urls(expand_macros(ctx.repo->clone_url), NULL);
93 else if (ctx.cfg.clone_prefix)
94 print_urls(ctx.cfg.clone_prefix, ctx.repo->url);
95 html("</table>");
96 }
97
98 /* The caller must free filename and ref after calling this. */
99 void cgit_parse_readme(const char *readme, const char *path, char **filename, char **ref, struct cgit_repo *repo)
100 {
101 const char *slash, *colon;
102 char *resolved_base, *resolved_full;
103
104 *filename = NULL;
105 *ref = NULL;
106
107 if (!readme || !(*readme))
108 return;
109
110 /* Check if the readme is tracked in the git repo. */
111 colon = strchr(readme, ':');
112 if (colon && strlen(colon) > 1) {
113 /* If it starts with a colon, we want to use
114 * the default branch */
115 if (colon == readme && repo->defbranch)
116 *ref = xstrdup(repo->defbranch);
117 else
118 *ref = xstrndup(readme, colon - readme);
119 readme = colon + 1;
120 }
121
122 /* Prepend repo path to relative readme path unless tracked. */
123 if (!(*ref) && *readme != '/')
124 readme = fmtalloc("%s/%s", repo->path, readme);
125
126 /* If a subpath is specified for the about page, make it relative
127 * to the directory containing the configured readme. */
128 if (path) {
129 slash = strrchr(readme, '/');
130 if (!slash) {
131 if (!colon)
132 return;
133 slash = colon;
134 }
135 *filename = xmalloc(slash - readme + 1 + strlen(path) + 1);
136 strncpy(*filename, readme, slash - readme + 1);
137 if (!(*ref))
138 resolved_base = realpath(*filename, NULL);
139 strcpy(*filename + (slash - readme + 1), path);
140 if (!(*ref))
141 resolved_full = realpath(*filename, NULL);
142 if (!(*ref) && (!resolved_base || !resolved_full || strstr(resolved_full, resolved_base) != resolved_full)) {
143 free(*filename);
144 *filename = NULL;
145 }
146 if (!(*ref)) {
147 free(resolved_base);
148 free(resolved_full);
149 }
150 } else
151 *filename = xstrdup(readme);
152 }
153
154 void cgit_print_repo_readme(char *path)
155 {
156 char *filename, *ref;
157 cgit_parse_readme(ctx.repo->readme, path, &filename, &ref, ctx.repo);
158
159 if (!filename)
160 return;
161
162 /* Print the calculated readme, either from the git repo or from the
163 * filesystem, while applying the about-filter.
164 */
165 html("<div id='summary'>");
166 if (ctx.repo->about_filter) {
167 ctx.repo->about_filter->argv[1] = filename;
168 cgit_open_filter(ctx.repo->about_filter);
169 }
170 if (ref)
171 cgit_print_file(filename, ref);
172 else
173 html_include(filename);
174 if (ctx.repo->about_filter) {
175 cgit_close_filter(ctx.repo->about_filter);
176 ctx.repo->about_filter->argv[1] = NULL;
177 }
178 html("</div>");
179 free(filename);
180 free(ref);
181 }
A hyperfast web frontend for git repositories written in C.