On 2021-03-28 15:37, Paul W. Rankin wrote:
> I'm running cgit with httpd + slowcgi and can't seem to get the
> about-filter to work. Both httpd and slowcgi run in the default chroot
> of /var/www.
>
> I've compiled lowdown with "-static -pie" to /var/www/bin/lowdown
> (chroot /bin/lowdown) with permissions:
>
> -rwxr-xr-x 1 root bin 1325512 Mar 4 01:38 /var/www/bin/lowdown
>
> In my cgitrc (cgit.conf):
>
> about-filter=/bin/lowdown
> readme=:README.md
>
> However, upon visiting an About page of a repo that includes a
> README.md, I get only a blank page and the following is logged in
> error.log:
>
> lowdown: README.md: No such file or directory
Okay I figured this out, but the solution raises a troubling question...
The cgit about-filter doesn't want an executable to do e.g. the Markdown
conversation, rather it wants a script that will return the command to
perform this, e.g.:
#!/bin/sh
case "$1" in
(*.md) exec /bin/lowdown ;;
(*) exit ;;
esac
This works, i.e. README.md files are converted to HTML, but this
requires copying the sh binary into /var/www/bin, which is the troubling
part.
Is this an acceptable thing to do, security-wise?
No comments:
Post a Comment