From: Tony Finch <dot@dotat.at>
Date: Wed, 31 Mar 2010 02:35:10 +0000 (+0100)
Subject: git-daemon/chiark-urlmap: better security
X-Git-Tag: userv/0.6.1~93
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=userv-utils.git;a=commitdiff_plain;h=82e04925eb9e251fb56c507967fe1ff76e59c94c

git-daemon/chiark-urlmap: better security

Check the server IP address corresponds to the server hostname
when exporting VPN-only repositories.

Use symlinks under ~/.userv so that public-git directories
are not exported by default, as in the www-cgi configuration.
---

diff --git a/git-daemon/chiark-urlmap b/git-daemon/chiark-urlmap
index d3bb876..499f21c 100644
--- a/git-daemon/chiark-urlmap
+++ b/git-daemon/chiark-urlmap
@@ -7,14 +7,16 @@
 if ($host eq 'git.chiark.greenend.org.uk') {
     if ($path =~ m{^~([^/]*)/(.*)}) {
         $user = $1;
-        $dir = 'public-git';
+        $dir = '.userv/public-git';
         $repo = $2;
     } else {
         $user = 'webmaster';
         $dir = '/u2/git-repos';
         $repo = $path;
     }
-} elsif (m{^git://cabal[.]greenend[.]org[.]uk/~([^/]*)/(.*)$}) {
+} elsif ($server_addr eq '172.31.80.8' and
+         $host eq 'cabal.greenend.org.uk' and
+	 $path =~ m|^~([^/]*)/(.*)$|) {
     $user = $1;
     $dir = 'cabal-git';
     $repo = $2;