From: Omar Polo <op@omarpolo.com>
Subject: Re: hide private gotd repositories from anonymous users
To: Stefan Sperling <stsp@stsp.name>
Cc: gameoftrees@openbsd.org
Date: Mon, 06 May 2024 19:35:32 +0200

On 2024/05/06 16:25:47 +0200, Stefan Sperling <stsp@stsp.name> wrote:
> When mixing public and private repositories in the same gotd instance,
> anonymous users can guess names of private repositories and use gotd as
> an oracle about their existence by running: got clone -l $url/foo.git
> 
> If foo.git does not exist then gotd returns "no git repository found".
> However, if foo.git does exist gotd returns "foo: Permission denied".
> 
> This patch prevents leaking the names of private repositories.
> An explicit permission error will now be returned only if the connecting
> user matches a permit or deny rule for the requested repository.
> 
> ok?

Yeah, we should strive to hide a repo for users that don't match a
permit or deny rule.

ok op@

p.s.: can you also test what gotwebd does?  The listing should
      skip directory not readables and/or without the
      git-daemon-export-ok file (if required).  I don't think I've
      ever played with the repo= query parameter though.


Thanks!

Omar Polo