Download raw body.
hide private gotd repositories from anonymous users
On 2024/05/06 16:25:47 +0200, Stefan Sperling <stsp@stsp.name> wrote: > When mixing public and private repositories in the same gotd instance, > anonymous users can guess names of private repositories and use gotd as > an oracle about their existence by running: got clone -l $url/foo.git > > If foo.git does not exist then gotd returns "no git repository found". > However, if foo.git does exist gotd returns "foo: Permission denied". > > This patch prevents leaking the names of private repositories. > An explicit permission error will now be returned only if the connecting > user matches a permit or deny rule for the requested repository. > > ok? Yeah, we should strive to hide a repo for users that don't match a permit or deny rule. ok op@ p.s.: can you also test what gotwebd does? The listing should skip directory not readables and/or without the git-daemon-export-ok file (if required). I don't think I've ever played with the repo= query parameter though. Thanks! Omar Polo
hide private gotd repositories from anonymous users