Support for raw content subdomain #52

Closed
hw wants to merge 1 commits from raw_content_subdomain_support into master
  1. 19
      var/www/pages/index.php

19
var/www/pages/index.php

@ -45,8 +45,23 @@ if ($tld === "org") {
if (strpos($owner, ".") !== false)
send_response(200, "Pages not supported for user names with dots. Please rename your username to use Codeberg pages.");
if ($owner === "raw") {
$owner = strtolower(array_shift($request_url_parts));
$cors = true;
$ch = curl_init("http://localhost:3000" . $_SERVER["REQUEST_URI"]);
Review

Does this limit in any way the accessible pages? Like can I get the source of my user account page by going to raw.codeberg.org/momar?

Does this limit in any way the accessible pages? Like can I get the source of my user account page by going to raw.codeberg.org/momar?
hw commented 1 year ago
Review

It recognizes permissions (hidden repos get 404 which is not the case currently).

It recognizes permissions (hidden repos get 404 which is not the case currently).
Review

Possibly a problem: it seems like people can get a valid CSRF token through that, as they seem to not be limited to an IP address!

I'd suggest to only map raw.codeberg.org/{username}/{repo}/{...} to codeberg.org/{username}/{repo}/raw/{...}, and only serve the response when it's 200 OK

Possibly a problem: it seems like people can get a valid CSRF token through that, as they seem to not be limited to an IP address! I'd suggest to only map `raw.codeberg.org/{username}/{repo}/{...}` to `codeberg.org/{username}/{repo}/raw/{...}`, and only serve the response when it's `200 OK`
hw commented 1 year ago
Review

So we should strip the headers?

So we should strip the headers?
hw commented 1 year ago
Review

(just like the cookie?)

(just like the cookie?)
Review

Nonono, the CSRF token is in the content of the response! We should explicitly only allow raw files from repositories (raw.codeberg.org/username/repo/branch/main/filename.txt), instead of any Gitea URL (like raw.codeberg.org/user/settings, even if cookies are stripped).

Nonono, the CSRF token is in the content of the response! We should explicitly *only* allow raw files from repositories (`raw.codeberg.org/username/repo/branch/main/filename.txt`), instead of any Gitea URL (like `raw.codeberg.org/user/settings`, even if cookies are stripped).
hw commented 1 year ago
Review

never from .org I guess?

never from .org I guess?
Review

That doesn't matter - replace it with .page or whatever. IMO it should definitely only be possible to get files from repositories via the .page TLD, and make sure to never expose Gitea resources like the API, or HTML pages.

That doesn't matter - replace it with .page or whatever. IMO it should definitely only be possible to get files from repositories via the .page TLD, and make sure to never expose Gitea resources like the API, or HTML pages.
hw commented 1 year ago
Review

agree

agree
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header = substr($response, 0, $header_size);
$header = explode("\r\n", $header);
$body = substr($response, $header_size);
foreach($header as $h) {
if ($h && substr($h, 0, 11) != "Set-Cookie:")
header($h);
}
header("Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox");
header("Access-Control-Allow-Origin: *");
send_response($status, $body);
}
}

Loading…
Cancel
Save