X-Git-Url: https://git.ladys.computer/Gitweb/blobdiff_plain/a02c806f06d5da1ec22dc5fab02fa8f8ee052d6d17ec4f9ac4c6fcd33380e5e6..8467d6ae3a28e9398e8be47a8a73c37c8a67474dce4a0118dc21ea7551c4d01e:/README diff --git a/README b/README index 00cef6e..32e1b4c 100644 --- a/README +++ b/README @@ -205,12 +205,17 @@ not include variables usually directly set during build): * $fallback_encoding Gitweb assumes this charset if line contains non-UTF-8 characters. Fallback decoding is used without error checking, so it can be even - 'utf-8'. Value mist be valid encodig; see Encoding::Supported(3pm) man + 'utf-8'. Value must be valid encoding; see Encoding::Supported(3pm) man page for a list. By default 'latin1', aka. 'iso-8859-1'. * @diff_opts Rename detection options for git-diff and git-diff-tree. By default ('-M'); set it to ('-C') or ('-C', '-C') to also detect copies, or set it to () if you don't want to have renames detection. + * $prevent_xss + If true, some gitweb features are disabled to prevent content in + repositories from launching cross-site scripting (XSS) attacks. Set this + to true if you don't trust the content of your repositories. The default + is false. Projects list file format @@ -257,7 +262,9 @@ You can use the following files in repository: A .html file (HTML fragment) which is included on the gitweb project summary page inside
block element. You can use it for longer description of a project, to provide links (for example to project's - homepage), etc. + homepage), etc. This is recognized only if XSS prevention is off + ($prevent_xss is false); a way to include a readme safely when XSS + prevention is on may be worked out in the future. * description (or gitweb.description) Short (shortened by default to 25 characters in the projects list page) single line description of a project (of a repository). Plain text file; @@ -369,7 +376,7 @@ named without a .git extension (e.g. /pub/git/project instead of DocumentRoot /var/www/gitweb - AliasMatch ^(/.*?)(\.git)(/.*)? /pub/git$1$3 + AliasMatch ^(/.*?)(\.git)(/.*)?$ /pub/git$1$3 Options ExecCGI AddHandler cgi-script cgi @@ -394,6 +401,14 @@ http://git.example.com/project will provide human-friendly gitweb access. +This solution is not 100% bulletproof, in the sense that if some project +has a named ref (branch, tag) starting with 'git/', then paths such as + +http://git.example.com/project/command/abranch..git/abranch + +will fail with a 404 error. + + Originally written by: Kay Sievers