> * debian/diff/0005-gitweb-do-not-run-git-diff-that-is-Porcelain.diff: > new; fix possible gitweb vulnerability: calling "git diff": Jakub > says that legacy-style URI to view two blob differences are never > generated since 1.4.3. This codepath runs "git diff" Porcelain from > the gitweb, which is a no-no. It can trigger diff.external command > that is specified in the configuration file of the repository being > viewed. Jakub didn't know the whole picture. This change breaks ikiwiki configurations that use the old url form with gitweb. That url form is used in configuration examples that have probably been copied into a lot of ikiwiki setup files. (Who knows what else might rely on the old url form.. One other thing I've found that does is various cut-n-pasted gitweb urls embedded on various websites..) I wonder if it wouldn't be better to make gitweb continue to support the old urls, using diff-tree instead of the porcelain? Gerrit: I'll be releasing a new version of ikiwiki to that documents how to use the new gitweb url form. The version in Debian testing would need to have a new-ish feature backported into it to support the new url form at all. So please let me know if there are any plans to make this change to the git in testing (or stable). -- see shy jo
Attachment:
signature.asc
Description: Digital signature
