* Explicitly disable Git credential helper
If the user running Gitea has configured a credential helper, Git
credentials might leak out of Gitea.
There are two problems with credential helpers when combined with Gitea:
1. Credentials entered by a user when doing a migration or setting up a
mirror will end up in the credential store. In the worst case, this
is the plain text file ~/.git-credentials.
2. Credentials in the credential store will be used for migrations and
mirrors by all users. For example, if user A sets up a mirror, their
credentials will be stored. If user B later sets up a mirror from the
same host and does not enter any credentials, user A's credentials
will be used.
This PR prepends -c credential.helper= to all Git commands to clear the
list of helpers. This requires at least Git version 2.9, as previous
versions will try to load an empty helper instead. For more details, see
24321375cd
* Update git module
* Inital routes to git refs api
* Git refs API implementation
* Update swagger
* Fix copyright
* Make swagger happy add basic test
* Fix test
* Fix test again :)
* Add raw blob endpoint
This should make it possible to download raw blobs directly from
/:repo/:username/raw/blob/:sha1 URLs.
* fix: Make it work
* As an SHA-ID is no path getRefNameFromPath can't be used to verify
file specifying parameter
* added relevant change in go-gitea/git #132
Signed-off-by: Berengar W. Lehr <Berengar.Lehr@kompetenztest.de>
* Update Gopkg.lock
Can't update all vendors due to errors
Signed-off-by: Berengar W. Lehr <Berengar.Lehr@kompetenztest.de>
* style: Add Gitea copyright header
* feat: Added integration test for /repo/u/r/raw/blob
* fix: correct year in copyright header
* Update dep github.com/markbates/goth
* Update dep github.com/blevesearch/bleve
* Update dep golang.org/x/oauth2
* Fix github.com/blevesearch/bleve to c74e08f039e56cef576e4336382b2a2d12d9e026
* Update dep golang.org/x/oauth2
* Add LDAP Key Synchronization feature
Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>
* Add migration: add login source id column for public_key table
* Only update keys if needed
* Add function to only list pubkey synchronized from ldap
* Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it.
* Only get keys belonging to current login source id
* Set default login source id to 0
* Some minor cleanup. Add integration tests (updete dep testify)
* dep: Update github.com/go-macaron/csrf
Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.
This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
* routers: set csrf-token security depending on COOKIE_SECURE
Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
* Update makefile to use dep
* Migrate to dep
* Fix some deps
* Try to find a better version for golang.org/x/net
* Try to find a better version for golang.org/x/oauth2