Added ALWAYS_RENDER_RAW_FILES option to the repository section #685
Conversation
| @@ -772,6 +774,8 @@ please consider changing to GITEA_CUSTOM`) | |||
| if !filepath.IsAbs(Repository.Upload.TempPath) { | |||
| Repository.Upload.TempPath = path.Join(workDir, Repository.Upload.TempPath) | |||
| } | |||
|
|
|||
| Repository.AlwaysRenderRawFiles = sec.Key("ALWAYS_RENDER_RAW_FILES").MustBool() | |||
There was a problem hiding this comment.
You need also update app.ini configuration.
routers/repo/download.go
Outdated
| @@ -41,6 +44,7 @@ func ServeData(ctx *context.Context, name string, reader io.Reader) error { | |||
| return err | |||
| } | |||
|
|
|||
|
|
|||
routers/repo/download.go
Outdated
| if base.IsTextFile(buf) || ctx.QueryBool("render") { | ||
| if setting.Repository.AlwaysRenderRawFiles { | ||
| ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) | ||
| } else if base.IsTextFile(buf) || ctx.QueryBool("render") { | ||
| ctx.Resp.Header().Set("Content-Type", "text/plain; charset=utf-8") | ||
| } else if base.IsImageFile(buf) || base.IsPDFFile(buf) { |
There was a problem hiding this comment.
you should integrate this condition.
There was a problem hiding this comment.
@appleboy I think it is more understandable this way.
lunny
added
the
type/feature
|
For reference: #683 (comment) |
tboerger
added
the
lgtm/need 2
|
Hi. 👍 for merging this :) |
|
I'm with @tboerger on this, this is a really bad idea... |
|
@bkcsoft Some people like me really need this option. Maybe it could be a build tag, and not offer prebuild builds with this option? |
|
@geek1011 well, if one has to compile it themselfs anyway, it could just be a patch-set outside the project, because this is a really bad idea and a huge security risk. |
|
So let's move it to 1.x.x |
|
Doesn't the csrf request token prevent this from being a security risk? If we make it not set the csrf cookie when sending the page, then wouldn't this be perfectly fine? |
Used for serving raw files with the right content type. Only enable if you know what you are doing. Signed-off-by: Patrick G <[email protected]>
|
Sorry it's not clear to me what the security risk is. I understand is about running arbitrary javascript code embedded in HTML files put in a user repository. Now, cannot this be already done, only not by default ? |
|
@strk I think it would be submitting a form to delete a user or something like that. |
Yes that's the issue… Basically the attack is an XSS issue AFAIK. By opening a specific URL (with a file saved) untrusted code can be executed in the context of the Gitea installation. This can do anything… So the fix is to disable it by default and if users need it add an option to enable parsing there. Even in Gogs it has been fixed already, so please don't get even slower than the original version. (Maybe also use the same config option for compatibility…)
Uh, no? I don't understand what you mean… |
|
On Thu, Mar 23, 2017 at 09:01:22AM -0700, rugk wrote:
So the fix is to disable it by default and if users need it add an option to enable parsing there. **Even in Gogs [it has been fixed already](gogs/gogs#3608 (comment), so please don't get even slower than the original version. (Maybe also use the same config option for compatibility…)
Thanks for the pointer, I think it is good to be compatible as much
as possible. And yes, I do feel your pain about becoming slower than
the original version... (want to help us ?)
> Now, cannot this be already done, only not by default ?
Uh, no? I don't understand what you mean…
Passing the `render=1` parameter lets you receive HTML with arbitrary
javascript embedded, already.
|
You already have this PR, so what?
Exactly that's the behaviour that needs to be disabled (by default!). |
|
Ah I saw that this PR does the opposite of fixing the render issue and should therefore be abolished. Of course you can allow users to use the |
|
On Thu, Mar 23, 2017 at 11:13:07AM -0700, rugk wrote:
> (want to help us ?)
You already have this PR, so what?
It's not just code that a project needs, but also organizational figures :)
|
|
I'll keep posting issues and complaining about security-stuff, be sure… 😊 |
|
I still don't like this option. This is something that should be handled by a Webserver. If the option is there, we will have users that enable it because they simply don't understand the risk. And than somebody will complain about it. |
|
Then remove it entirely… |
|
I think there are valid use cases where the security implication is not a concern: private hosting with only trusted users. For those cases, it's ok to let the admin allow rendering (even by default) the content. This is @geek1011 usecase, I think. |
|
Yes, but as @tboerger says, just use a reverse-proxy and add/modify then headers. There is no need to have this option in Gitea. (Users could not be aware of the risk ad enable it more or less accidentally or for just trying it out etc.) On the other hand there is of course no need to discuss this. I am fine with an option, but please, please, disable it by default finally. |
|
Thats a good idea. I might write some caddy middleware to fix the content type.
|
|
General concensus seems to be that this is a bad idea all together, so I'm closing this 🙂 Feel free to reopen if someone wants to discuss it further |
|
So can we now implement/disable the rendering properly? |
|
To recap: the reason raw rendering is considered unsafe is because
an attacker user could publish (via pushes to a repository)
malicious javascript code that would steal service credential from other
users watching the published code.
This means that administrators trusting all users to not be malicious
could really as well want to ALWAYS_RENDER_RAW_FILES, while those who
cannot trust users should NEVER_RENDER_RAW_FILES instead.
Rendering raw files from a _different_ domain would remove the danger
altogether.
So my proposal for a "proper" way to do things is:
1. Allow setting a ROOT_URL_RAW variable to be used for serving
raw files rendering. When set, raw files would be served only
from the given domain, when unset, raw files would be disabled.
People trusting their users and NOT wanting to register another domain
could set ROOT_URL_RAW = %ROOT_URL, the others could leave that unset
(the default).
What do you think ?
|
|
Great idea! |
|
@strk I'm fine with that proposal 🙂 |
|
So anyone willing to implement ?
@geek1011 ?
|
Used for serving raw files with the right content type, instead of text/plain. Fixes (#683).
This option is disabled by default as it could be a potential security risk because the html in raw mode would render on the same domain as gitea.