| commit | 42234719e8b8f0f29208dba7bc168dcea050bbef | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Wed, 30 Mar 2016 17:39:19 +0000 (30 10:39 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Wed, 30 Mar 2016 17:39:19 +0000 (30 10:39 -0700) | ||
| tree | 0a0e336efc1039522e13da64f65b930c6b765c49 | treesnapshot (tar.gz zip) |
| parent | 1e46bfa5dd3dfb659b0544a0d178990141e3fd28 | commitdiff |
apache.conf.in: tighten up client auth required checks
Simplify the checks to more closely match those done by
http-backend.c.
Specifically, if the URL (excluding any query string) ends in
"/info/refs" AND the query string contains "service=git-receive-pack"
then always require authentication but only for GET or HEAD.
If the URL (excluding any query string) ends in
"/git-receive-pack" then always require authentication but only
for POST.
Also make the tests case-insensitive.
This drops all user agent testing from the checks and ignores
whether or not a leading "/r/" appears.
While this will cause more requests to trigger authentication
required checks, this should only impact bogus requests.
No legitimate Girocco GET or HEAD request (web or git) will
ever set "service=git-receive-pack" unless it's a real git
smart http push request in which case authentication must always
be required anyway.
The only legitimate non-git POST requests generated by Girocco
are by the various admin/info *.cgi scripts and none of them
ever generate anything ending in "/git-receive-pack" so again
there's no impact to legitimate requests.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Simplify the checks to more closely match those done by
http-backend.c.
Specifically, if the URL (excluding any query string) ends in
"/info/refs" AND the query string contains "service=git-receive-pack"
then always require authentication but only for GET or HEAD.
If the URL (excluding any query string) ends in
"/git-receive-pack" then always require authentication but only
for POST.
Also make the tests case-insensitive.
This drops all user agent testing from the checks and ignores
whether or not a leading "/r/" appears.
While this will cause more requests to trigger authentication
required checks, this should only impact bogus requests.
No legitimate Girocco GET or HEAD request (web or git) will
ever set "service=git-receive-pack" unless it's a real git
smart http push request in which case authentication must always
be required anyway.
The only legitimate non-git POST requests generated by Girocco
are by the various admin/info *.cgi scripts and none of them
ever generate anything ending in "/git-receive-pack" so again
there's no impact to legitimate requests.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
| apache.conf.in | diffblobblamehistory | |
| cgi/authrequired.cgi | diffblobblamehistory |