Git repositories move to https://tt-rss.org

Development-related discussion, including bundled plugins
User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 26 Jul 2015, 17:11

dedioste i think you mistyped your email, dude

nameless
Bear Rating Master
Bear Rating Master
Posts: 126
Joined: 28 Aug 2013, 20:33

Re: Git repositories move to https://tt-rss.org

Postby nameless » 26 Jul 2015, 19:32


User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 26 Jul 2015, 19:48

oh looks like nginx is being derpy again

e: should work now i guess

nameless
Bear Rating Master
Bear Rating Master
Posts: 126
Joined: 28 Aug 2013, 20:33

Re: Git repositories move to https://tt-rss.org

Postby nameless » 27 Jul 2015, 14:16


User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 27 Jul 2015, 14:35

idk how those are supposed to even work. where did you find this url on gitlab?

nameless
Bear Rating Master
Bear Rating Master
Posts: 126
Joined: 28 Aug 2013, 20:33

Re: Git repositories move to https://tt-rss.org

Postby nameless » 27 Jul 2015, 14:49

its in the sidebar right under the wiki.
if i recall correctly it wasn't there when i checked yesterday.
snippets is for gitlab what gist is for github. might come in handy from time to time.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 27 Jul 2015, 14:57

i dunno:

Image

https://tt-rss.org/gitlab/snippets this url works, also this: https://tt-rss.org/gitlab/s/fox

there's no link on the profile page to /s/ and there's no way to go back from /s/ to /u/. maybe this feature is not completely done yet or something.

nameless
Bear Rating Master
Bear Rating Master
Posts: 126
Joined: 28 Aug 2013, 20:33

Re: Git repositories move to https://tt-rss.org

Postby nameless » 27 Jul 2015, 15:30

i guess i am seeing it because i am not logged in.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 27 Jul 2015, 16:00


User avatar
HunterZ
Bear Rating Disaster
Bear Rating Disaster
Posts: 60
Joined: 21 Mar 2013, 03:30
Location: Seattle

Re: Git repositories move to https://tt-rss.org

Postby HunterZ » 27 Jul 2015, 21:56


udzguru
Bear Rating Trainee
Bear Rating Trainee
Posts: 12
Joined: 25 Jul 2015, 23:31

Re: Git repositories move to https://tt-rss.org

Postby udzguru » 30 Jul 2015, 19:19

Hi everyone,

since this thread is about moving the git-repository I wanted to point out a possible security issue with the tt-rss .git directory. This directory is inside the web-accessible folder and it is accessible by anyone. This problem affects lots and lots of much bigger sites but everyone should look into it.

More information and possible solutions are pointed out here e.g.
http://thenextweb.com/insider/2015/07/2 ... -websites/

I wanted to submit this as an issue ticket in Gitlab but unfortunately wasn't assigned to the project and therefore not able to submit anything.

Perhaps a little directive should be added to the .htaccess by default to improve installation security.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 30 Jul 2015, 19:31

you do realize of course that access to .git "directory" (it actually is not) is kinda required if you want to allow people actually cloning the fucking repository? you know because its an open source project and stuff?

>I wanted to submit this as an issue ticket in Gitlab but unfortunately wasn't assigned to the project and therefore not able to submit anything.

i love that feeling when my changes are working as intended, that is stopping people from posting stuff like this on the issue tracker

udzguru
Bear Rating Trainee
Bear Rating Trainee
Posts: 12
Joined: 25 Jul 2015, 23:31

Re: Git repositories move to https://tt-rss.org

Postby udzguru » 30 Jul 2015, 20:03


User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Git repositories move to https://tt-rss.org

Postby fox » 30 Jul 2015, 20:16

oh no not the public exposure of the .gitignore file

it does after all contain my darkest secrets

e: i understand that you mean well but seriously please stop you're making my head hurt with this

e2: either that or post some highly sensitive data available on /.git

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: Git repositories move to https://tt-rss.org

Postby JustAMacUser » 30 Jul 2015, 20:48

@udzguru,

Your intentions are good but you may be misunderstanding the article you referenced.

The article is talking about developers working privately on a project and storing information in the repository, which is later pulled into a web-accessible area thereby exposing sensitive information that was committed to the repo (even if said information was later removed, since Git still tracks it internally).

This isn't an issue for TT-RSS because the entire repository is already public; always has been. There's no sensitive information in it because the only sensitive information is stored in the config.php file, which is already excluded in .gitignore. (Even much of the information in config.php is useless without access to the server, itself.)

Also, with respect to your fix: assuming mod_rewrite is installed and enabled is bad form. Using rewrite for access control is bad form. It's better to verify the module(s) are installed and use Allow/Deny directives inside Directory/File sections. (For that matter, assuming Apache is also a little bad form but understandable since it's pretty popular.)

Also, blocking access to files/directories like .git/.gitignore is not the responsibility of the author of the software. It's the responsibility of the system admin maintaining the install on the server, since it's his/her job to make sure the install is working and the setup is secure.

As an aside, while most people probably have .git* stuff in their document root, it's entirely possible for Git's directory and working tree to be different and if people are super concerned about security they can just do that.

tl;dr

The article is valid but not applicable to TT-RSS.


Return to “Development”

Who is online

Users browsing this forum: No registered users and 2 guests