Codeberg-Infrastructure
/
build-deploy-gitea
18
16
Fork 18
Code Issues 7 Pull Requests 1 Releases Wiki Activity
Labels Milestones
New Pull Request

Support for raw content subdomain #52

Closed
hw wants to merge 1 commits from raw_content_subdomain_support into master
Conversation 5 Commits 1 Files Changed 1
1 changed files with 17 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 19
      var/www/pages/index.php

19
var/www/pages/index.php
Unescape View File

@ -45,8 +45,23 @@ if ($tld === "org") {
if (strpos($owner, ".") !== false)
send_response(200, "Pages not supported for user names with dots. Please rename your username to use Codeberg pages.");
if ($owner === "raw") {
$owner = strtolower(array_shift($request_url_parts));
$cors = true;
$ch = curl_init("http://localhost:3000" . $_SERVER["REQUEST_URI"]);
momar commented 1 year ago
Review

Does this limit in any way the accessible pages? Like can I get the source of my user account page by going to raw.codeberg.org/momar?

Does this limit in any way the accessible pages? Like can I get the source of my user account page by going to raw.codeberg.org/momar?
hw commented 1 year ago
Review

It recognizes permissions (hidden repos get 404 which is not the case currently).

It recognizes permissions (hidden repos get 404 which is not the case currently).
momar commented 1 year ago
Review

Possibly a problem: it seems like people can get a valid CSRF token through that, as they seem to not be limited to an IP address!

I'd suggest to only map raw.codeberg.org/{username}/{repo}/{...} to codeberg.org/{username}/{repo}/raw/{...}, and only serve the response when it's 200 OK

Possibly a problem: it seems like people can get a valid CSRF token through that, as they seem to not be limited to an IP address! I'd suggest to only map `raw.codeberg.org/{username}/{repo}/{...}` to `codeberg.org/{username}/{repo}/raw/{...}`, and only serve the response when it's `200 OK`
hw commented 1 year ago
Review

So we should strip the headers?

So we should strip the headers?
hw commented 1 year ago
Review

(just like the cookie?)

(just like the cookie?)
momar commented 1 year ago
Review

Nonono, the CSRF token is in the content of the response! We should explicitly only allow raw files from repositories (raw.codeberg.org/username/repo/branch/main/filename.txt), instead of any Gitea URL (like raw.codeberg.org/user/settings, even if cookies are stripped).

Nonono, the CSRF token is in the content of the response! We should explicitly *only* allow raw files from repositories (`raw.codeberg.org/username/repo/branch/main/filename.txt`), instead of any Gitea URL (like `raw.codeberg.org/user/settings`, even if cookies are stripped).
hw commented 1 year ago
Review

never from .org I guess?

never from .org I guess?
momar commented 1 year ago
Review

That doesn't matter - replace it with .page or whatever. IMO it should definitely only be possible to get files from repositories via the .page TLD, and make sure to never expose Gitea resources like the API, or HTML pages.

That doesn't matter - replace it with .page or whatever. IMO it should definitely only be possible to get files from repositories via the .page TLD, and make sure to never expose Gitea resources like the API, or HTML pages.
hw commented 1 year ago
Review

agree

agree
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header = substr($response, 0, $header_size);
$header = explode("\r\n", $header);
$body = substr($response, $header_size);
foreach($header as $h) {
if ($h && substr($h, 0, 11) != "Set-Cookie:")
header($h);
}
header("Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox");
header("Access-Control-Allow-Origin: *");
send_response($status, $body);
}
}

Write Preview
Loading…
Cancel
Save