Stefan Sperling <stsp@stsp.name> wrote:
> Block gotwebd requests with paths that point at repositories outside
> the server's assigned repository directory. This is needed for -portable
> where we cannot assume that chroot or unveil would prevent such access.
> 
> There is no problem on OpenBSD because unveil(2) already prevents this.
> 
> At present this is an accidental leak of unrelated repositories which
> a system running gotwebd might have somewhere on disk where the _gotwebd
> user can read them. Once we add authentication to gotwebd this bug could
> potentially be used to bypass authentication.
> 
> This fix applies early defenses in the query parser and when gotwebd looks
> up repositories on disk in case the query parser's verification is bypassed
> somehow. Is this good enough?
> 
> ok?

nice catch, ok op@

i'd prefer if the two function would have a different name to avoid
confusion, but the types are different so it's ok.

> (Tehnically the HEADREF is not a path and could have much stricter checks
> applied to it. But got_ref_open will already do those additional checks.)