Add server config option for always rendering html code #241

@tboerger commented on GitHub (Jan 16, 2017):

Are you talking about a feature like https://github.com/go-gitea/gitea/issues/302?

@tboerger commented on GitHub (Jan 16, 2017): Are you talking about a feature like https://github.com/go-gitea/gitea/issues/302?

GiteaMirror commented

@pgaskin commented on GitHub (Jan 16, 2017):

Not exactly

@pgaskin commented on GitHub (Jan 16, 2017): Not exactly

GiteaMirror commented

@pgaskin commented on GitHub (Jan 16, 2017):

More like allowing rendering of files in the repo.

@pgaskin commented on GitHub (Jan 16, 2017): More like allowing rendering of files in the repo.

GiteaMirror commented

2025-11-02 03:15:10 -06:00

@tboerger commented on GitHub (Jan 16, 2017):

Can you explain the use case for that? I don't get it yet ;)

@tboerger commented on GitHub (Jan 16, 2017): Can you explain the use case for that? I don't get it yet ;)

GiteaMirror commented

@pgaskin commented on GitHub (Jan 16, 2017):

I have repository with HTML templates. I would like to preview them easily without them being in a separate location. I trust all users with write access to the server, so I want to simplify things by allowing rendering it right out of the repository.

@pgaskin commented on GitHub (Jan 16, 2017): I have repository with HTML templates. I would like to preview them easily without them being in a separate location. I trust all users with write access to the server, so I want to simplify things by allowing rendering it right out of the repository.

GiteaMirror commented

2025-11-02 03:15:10 -06:00

@pgaskin commented on GitHub (Jan 16, 2017):

Something like changing the ServeData function in routers/repo/download.go to this:

func ServeData(ctx *context.Context, name string, reader io.Reader) error {
	buf := make([]byte, 1024)
	n, _ := reader.Read(buf)
	if n > 0 {
		buf = buf[:n]
	}

	ctx.Resp.Header().Set("Cache-Control", "public,max-age=86400")

	// Google Chrome dislike commas in filenames, so let's change it to a space
	name = strings.Replace(name, ",", " ", -1)

        if setting.Repository.AlwaysRenderRawFiles {
		ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
	} else if base.IsTextFile(buf) || ctx.QueryBool("render") {
		ctx.Resp.Header().Set("Content-Type", "text/plain; charset=utf-8")
	} else if base.IsImageFile(buf) || base.IsPDFFile(buf) {
		ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
	} else {
		ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name))
	}

	ctx.Resp.Write(buf)
	_, err := io.Copy(ctx.Resp, reader)
	return err
}

The setting AlwaysRenderRawFiles would have to be added to setting.go with a default of false (for security)

@pgaskin commented on GitHub (Jan 16, 2017): Something like changing the `ServeData` function in `routers/repo/download.go` to this: ```` func ServeData(ctx *context.Context, name string, reader io.Reader) error { buf := make([]byte, 1024) n, _ := reader.Read(buf) if n > 0 { buf = buf[:n] } ctx.Resp.Header().Set("Cache-Control", "public,max-age=86400") // Google Chrome dislike commas in filenames, so let's change it to a space name = strings.Replace(name, ",", " ", -1) if setting.Repository.AlwaysRenderRawFiles { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) } else if base.IsTextFile(buf) || ctx.QueryBool("render") { ctx.Resp.Header().Set("Content-Type", "text/plain; charset=utf-8") } else if base.IsImageFile(buf) || base.IsPDFFile(buf) { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) } else { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name)) } ctx.Resp.Write(buf) _, err := io.Copy(ctx.Resp, reader) return err } ```` The setting `AlwaysRenderRawFiles` would have to be added to `setting.go` with a default of false (for security)

GiteaMirror commented

2025-11-02 03:15:10 -06:00

@pgaskin commented on GitHub (Jan 16, 2017):

I will open a PR

@pgaskin commented on GitHub (Jan 16, 2017): I will open a PR

GiteaMirror commented

@pgaskin commented on GitHub (Jan 17, 2017):

I have opened the PR, and it is ready. I have tested the feature myself too.

@pgaskin commented on GitHub (Jan 17, 2017): I have opened the PR, and it is ready. I have tested the feature myself too.

GiteaMirror commented

@tboerger commented on GitHub (Jan 17, 2017):

What do others think about that? I don't really like the idea to render every document/file.

@tboerger commented on GitHub (Jan 17, 2017): What do others think about that? I don't really like the idea to render every document/file.

GiteaMirror commented

@pgaskin commented on GitHub (Jan 17, 2017):

@tboerger I think that even though it is a security risk in most cases, there may be some cases, including my own, where it is needed. It really is not much of a security risk of there is only a few trusted people who are able to write to our create repositories.

@pgaskin commented on GitHub (Jan 17, 2017): @tboerger I think that even though it is a security risk in most cases, there may be some cases, including my own, where it is needed. It really is not much of a security risk of there is only a few trusted people who are able to write to our create repositories.

GiteaMirror commented

2025-11-02 03:15:12 -06:00

@pgaskin commented on GitHub (Jan 17, 2017):

@tboerger Also, in the issue about XSS with gogs' current implementation which is a ?render parameter, the author of the issue suggests for the option to be moved to the config file https://github.com/gogits/gogs/issues/3608

@pgaskin commented on GitHub (Jan 17, 2017): @tboerger Also, in the issue about XSS with gogs' current implementation which is a ?render parameter, the author of the issue suggests for the option to be moved to the config file https://github.com/gogits/gogs/issues/3608

GiteaMirror commented

@pgaskin commented on GitHub (Jan 17, 2017):

One example of people needing an option like this: https://github.com/gogits/gogs/issues/2593

@pgaskin commented on GitHub (Jan 17, 2017): One example of people needing an option like this: https://github.com/gogits/gogs/issues/2593

GiteaMirror commented

2025-11-02 03:15:12 -06:00

@pgaskin commented on GitHub (Jan 17, 2017):

Another few examples: https://github.com/gogits/gogs/issues/2283#issuecomment-181426550 and https://github.com/gogits/gogs/issues/2283#issuecomment-182239213

The last one I put cannot be solved using something like GitHub pages because it involves viewing rendered raw history of a file

@pgaskin commented on GitHub (Jan 17, 2017): Another few examples: https://github.com/gogits/gogs/issues/2283#issuecomment-181426550 and https://github.com/gogits/gogs/issues/2283#issuecomment-182239213 The last one I put cannot be solved using something like GitHub pages because it involves viewing rendered raw history of a file

GiteaMirror commented

2025-11-02 03:15:12 -06:00

@tboerger commented on GitHub (Jan 18, 2017):

IMHO this is something to solve for a separate tool. Many users don't get know how important this option can get

@tboerger commented on GitHub (Jan 18, 2017): IMHO this is something to solve for a separate tool. Many users don't get know how important this option can get

GiteaMirror commented

@pgaskin commented on GitHub (Jan 18, 2017):

What if we do not document the option?

@pgaskin commented on GitHub (Jan 18, 2017): What if we do not document the option?

GiteaMirror commented

@bkcsoft commented on GitHub (Jan 20, 2017):

I really don't like undocumented options... Someone will see it in the code and turn it on without knowing the consequences of that... I'm with @tboerger on this one, Gitea is not made to work like a CDN, there are many other projects out there that fit the purpose better. Caddy can even be setup to monitor your git-repo and automagically serve from that.

@bkcsoft commented on GitHub (Jan 20, 2017): I _really_ don't like undocumented options... Someone will see it in the code and turn it on without knowing the consequences of that... I'm with @tboerger on this one, Gitea is not made to work like a CDN, there are _many_ other projects out there that fit the purpose better. [Caddy](caddyserver.com) can even be setup to monitor your git-repo and [automagically serve](https://caddyserver.com/docs/git) from that.

GiteaMirror commented

@bkcsoft commented on GitHub (Jan 20, 2017):

If I am to be completely honest, I vote to remove the ?render=1 option as well, since it is a huge security-risk... or at least make a config-flag to disable it (though for backwards-compat I might consider having it enabled by default 😒 )

@bkcsoft commented on GitHub (Jan 20, 2017): If I am to be completely honest, I vote to remove the `?render=1` option as well, since it is a _huge_ security-risk... or at least make a config-flag to disable it (though for backwards-compat I might consider having it enabled by default 😒 )

GiteaMirror commented

@lunny commented on GitHub (Feb 15, 2017):

same with #685

@lunny commented on GitHub (Feb 15, 2017): same with #685

GiteaMirror commented

@pgaskin commented on GitHub (Mar 2, 2017):

Doesn't the csrf request token prevent this from being a security risk? If we make it not set the csrf cookie when sending the page, then wouldn't this be perfectly fine?

@pgaskin commented on GitHub (Mar 2, 2017): Doesn't the csrf request token prevent this from being a security risk? If we make it not set the csrf cookie when sending the page, then wouldn't this be perfectly fine?

GiteaMirror commented

@strk commented on GitHub (Mar 12, 2017):

How about clearly describing the security risk, in the current documentation ?
Because I understand the risk you see is already there.

@strk commented on GitHub (Mar 12, 2017): How about clearly describing the security risk, in the current documentation ? Because I understand the risk you see is already there.

GiteaMirror commented

@pgaskin commented on GitHub (Mar 12, 2017):

@strk Yes, and also, I use this patch in my server, and many of my friends do as well. There have not been any problems so far. How should it be described?

@pgaskin commented on GitHub (Mar 12, 2017): @strk Yes, and also, I use this patch in my server, and many of my friends do as well. There have not been any problems so far. How should it be described?

GiteaMirror commented

@strk commented on GitHub (Mar 12, 2017):

@geek1011 as @bkcsoft did on IRC:

18:49 < BKC> okey, here it goes. It is _extremly_ simple to make a HTML-file 
with a small script in that will take your CSRF-token and session-key, send 
those to a server that changes your password and stores that "for later use"

@strk commented on GitHub (Mar 12, 2017): @geek1011 as @bkcsoft did on [IRC](https://kiwiirc.com/client/irc.freenode.net/#gitea): ``` 18:49 < BKC> okey, here it goes. It is _extremly_ simple to make a HTML-file with a small script in that will take your CSRF-token and session-key, send those to a server that changes your password and stores that "for later use" ```

GiteaMirror commented

@lunny commented on GitHub (Mar 13, 2017):

But my point is we can genearte files and push the files to servers.
we can push files via local/ssh/ftp/coloud storage/http and etc.
setup a hook running on Gitea itself.

Copy my point from Gitter.

And we can detect the repo's types. Hugo maybe the first type and other formats.

@lunny commented on GitHub (Mar 13, 2017): But my point is we can genearte files and push the files to servers. we can push files via local/ssh/ftp/coloud storage/http and etc. setup a hook running on Gitea itself. Copy my point from Gitter. And we can detect the repo's types. Hugo maybe the first type and other formats.

GiteaMirror commented