git-daemon/chiark-urlmap: better security

Check the server IP address corresponds to the server hostname when exporting VPN-only repositories. Use symlinks under ~/.userv so that public-git directories are not exported by default, as in the www-cgi configuration.
author: Tony Finch <dot@dotat.at> 2010-03-31 03:35:10 +0100
committer: Ian Jackson <ian@liberator.relativity.greenend.org.uk> 2010-05-22 15:54:42 +0100
commit: 82e04925eb9e251fb56c507967fe1ff76e59c94c (patch)
tree: d5b443e35bc0aad5b06ed463abed0d3408f4e8be /git-daemon
parent: f1ebe10b60640bdbdd34927d5d74624c2a494f95 (diff)
download: userv-utils-82e04925eb9e251fb56c507967fe1ff76e59c94c.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/git-daemon/chiark-urlmap b/git-daemon/chiark-urlmap
index d3bb876..499f21c 100644
--- a/git-daemon/chiark-urlmap
+++ b/git-daemon/chiark-urlmap
@@ -7,14 +7,16 @@
 if ($host eq 'git.chiark.greenend.org.uk') {
     if ($path =~ m{^~([^/]*)/(.*)}) {
         $user = $1;
-        $dir = 'public-git';
+        $dir = '.userv/public-git';
         $repo = $2;
     } else {
         $user = 'webmaster';
         $dir = '/u2/git-repos';
         $repo = $path;
     }
-} elsif (m{^git://cabal[.]greenend[.]org[.]uk/~([^/]*)/(.*)$}) {
+} elsif ($server_addr eq '172.31.80.8' and
+         $host eq 'cabal.greenend.org.uk' and
+	 $path =~ m|^~([^/]*)/(.*)$|) {
     $user = $1;
     $dir = 'cabal-git';
     $repo = $2;
author	Tony Finch <dot@dotat.at>	2010-03-31 03:35:10 +0100
committer	Ian Jackson <ian@liberator.relativity.greenend.org.uk>	2010-05-22 15:54:42 +0100
commit	82e04925eb9e251fb56c507967fe1ff76e59c94c (patch)
tree	d5b443e35bc0aad5b06ed463abed0d3408f4e8be /git-daemon
parent	f1ebe10b60640bdbdd34927d5d74624c2a494f95 (diff)
download	userv-utils-82e04925eb9e251fb56c507967fe1ff76e59c94c.tar.gz