From 5faff90e7647c3b6580d6e95821d9cf0499f2e9b Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Sat, 7 Feb 2015 17:16:23 -0800
Subject: [PATCH] apache.conf.in: do not allow accelerated access to '_'
 projects

While the rest of Girocco denies external access to any project
names starting with '_' (which are reserved for internal use),
the accelerated access to packs and loose objects provided by the
web server configuration for non-smart HTTP access provided a
loophole by which some parts of projects starting with '_' could
be accessed.

Close the loophole by only accelerating access for project names
which do NOT start with '_'.  Requests for non-smart HTTP access
to loose objects and/or packs for project names starting with '_'
will then be sent to git-http-backend-verify instead which will
send the correct denied result code rather than allowing access.
---
 apache.conf.in | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/apache.conf.in b/apache.conf.in
index 9fa74fe..7ca4f32 100644
--- a/apache.conf.in
+++ b/apache.conf.in
@@ -92,14 +92,16 @@
 
 	<IfDefine !SmartHTTPOnly>
 	# These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
-	AliasMatch ^/r/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$		@@reporoot@@/$1
-	AliasMatch ^/r/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$	@@reporoot@@/$1
+	# But not for projects starting with '_' to which access should never be allowed
+	AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$		@@reporoot@@/$1
+	AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$	@@reporoot@@/$1
 
 	# These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
+	# But not for projects starting with '_' to which access should never be allowed
 	<IfModule rewrite_module>
 			RewriteEngine On
 			RewriteCond %{HTTP_USER_AGENT} git/ [NC]
-			RewriteRule "(?x) ^/((?!r/).*/objects/(?: \
+			RewriteRule "(?x) ^/((?!r/)[^_].*/objects/(?: \
 				(?:[0-9a-f]{2}/[0-9a-f]{38}) | \
 				(?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
 				@@reporoot@@/$1 [L]
@@ -123,6 +125,7 @@
 	</IfDefine>
 
 	# SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
+	# git-http-backend-verify denies all access to projects starting with '_'
 	ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
 
 	# This allows HTTP access for Git user agents without the /r/ prefix
-- 
2.11.4.GIT