Page 3 of 5

Re: Git repositories move to https://tt-rss.org

Posted: 26 Jul 2015, 17:11
by fox
dedioste i think you mistyped your email, dude

Re: Git repositories move to https://tt-rss.org

Posted: 26 Jul 2015, 19:32
by nameless
fox wrote:some? which files?

anyway i've figured out access controls i think so that's something


this one for instance
https://tt-rss.org/gitlab/fox/tt-rss/bl ... /index.php

Re: Git repositories move to https://tt-rss.org

Posted: 26 Jul 2015, 19:48
by fox
oh looks like nginx is being derpy again

e: should work now i guess

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 14:16
by nameless

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 14:35
by fox
idk how those are supposed to even work. where did you find this url on gitlab?

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 14:49
by nameless
its in the sidebar right under the wiki.
if i recall correctly it wasn't there when i checked yesterday.
snippets is for gitlab what gist is for github. might come in handy from time to time.

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 14:57
by fox
i dunno:

Image

https://tt-rss.org/gitlab/snippets this url works, also this: https://tt-rss.org/gitlab/s/fox

there's no link on the profile page to /s/ and there's no way to go back from /s/ to /u/. maybe this feature is not completely done yet or something.

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 15:30
by nameless
i guess i am seeing it because i am not logged in.

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 16:00
by fox

Re: Git repositories move to https://tt-rss.org

Posted: 27 Jul 2015, 21:56
by HunterZ
fox wrote:there's an activity rss feed which should pretty much amount to the same thing imo

e: https://tt-rss.org/gitlab/fox/tt-rss.atom

Apparently you can just stick ".atom" at the end of a gitlab URL to get a feed. Here's one that just has commits to master:
https://tt-rss.org/gitlab/fox/tt-rss/co ... aster.atom

Re: Git repositories move to https://tt-rss.org

Posted: 30 Jul 2015, 19:19
by udzguru
Hi everyone,

since this thread is about moving the git-repository I wanted to point out a possible security issue with the tt-rss .git directory. This directory is inside the web-accessible folder and it is accessible by anyone. This problem affects lots and lots of much bigger sites but everyone should look into it.

More information and possible solutions are pointed out here e.g.
http://thenextweb.com/insider/2015/07/2 ... -websites/

I wanted to submit this as an issue ticket in Gitlab but unfortunately wasn't assigned to the project and therefore not able to submit anything.

Perhaps a little directive should be added to the .htaccess by default to improve installation security.

Re: Git repositories move to https://tt-rss.org

Posted: 30 Jul 2015, 19:31
by fox
you do realize of course that access to .git "directory" (it actually is not) is kinda required if you want to allow people actually cloning the fucking repository? you know because its an open source project and stuff?

>I wanted to submit this as an issue ticket in Gitlab but unfortunately wasn't assigned to the project and therefore not able to submit anything.

i love that feeling when my changes are working as intended, that is stopping people from posting stuff like this on the issue tracker

Re: Git repositories move to https://tt-rss.org

Posted: 30 Jul 2015, 20:03
by udzguru
Stop. You got me wrong! I don't want to restrict access to the git repository.

I just wanted to point out, that a quite simple change to the .htaccess file which can be pulled from the repository could prevent the public exposure of the .gitignore file and the .git directory of the tt-rss installations out there.

For now I just added the directive:

Code: Select all

RedirectMatch 404 /\.git.*$

to the beginning of the file and it does its job fine.

Re: Git repositories move to https://tt-rss.org

Posted: 30 Jul 2015, 20:16
by fox
oh no not the public exposure of the .gitignore file

it does after all contain my darkest secrets

e: i understand that you mean well but seriously please stop you're making my head hurt with this

e2: either that or post some highly sensitive data available on /.git

Re: Git repositories move to https://tt-rss.org

Posted: 30 Jul 2015, 20:48
by JustAMacUser
@udzguru,

Your intentions are good but you may be misunderstanding the article you referenced.

The article is talking about developers working privately on a project and storing information in the repository, which is later pulled into a web-accessible area thereby exposing sensitive information that was committed to the repo (even if said information was later removed, since Git still tracks it internally).

This isn't an issue for TT-RSS because the entire repository is already public; always has been. There's no sensitive information in it because the only sensitive information is stored in the config.php file, which is already excluded in .gitignore. (Even much of the information in config.php is useless without access to the server, itself.)

Also, with respect to your fix: assuming mod_rewrite is installed and enabled is bad form. Using rewrite for access control is bad form. It's better to verify the module(s) are installed and use Allow/Deny directives inside Directory/File sections. (For that matter, assuming Apache is also a little bad form but understandable since it's pretty popular.)

Also, blocking access to files/directories like .git/.gitignore is not the responsibility of the author of the software. It's the responsibility of the system admin maintaining the install on the server, since it's his/her job to make sure the install is working and the setup is secure.

As an aside, while most people probably have .git* stuff in their document root, it's entirely possible for Git's directory and working tree to be different and if people are super concerned about security they can just do that.

tl;dr

The article is valid but not applicable to TT-RSS.