From 82e04925eb9e251fb56c507967fe1ff76e59c94c Mon Sep 17 00:00:00 2001
From: Tony Finch <dot@dotat.at>
Date: Wed, 31 Mar 2010 03:35:10 +0100
Subject: [PATCH] git-daemon/chiark-urlmap: better security

Check the server IP address corresponds to the server hostname
when exporting VPN-only repositories.

Use symlinks under ~/.userv so that public-git directories
are not exported by default, as in the www-cgi configuration.
---
 git-daemon/chiark-urlmap | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/git-daemon/chiark-urlmap b/git-daemon/chiark-urlmap
index d3bb876..499f21c 100644
--- a/git-daemon/chiark-urlmap
+++ b/git-daemon/chiark-urlmap
@@ -7,14 +7,16 @@
 if ($host eq 'git.chiark.greenend.org.uk') {
     if ($path =~ m{^~([^/]*)/(.*)}) {
         $user = $1;
-        $dir = 'public-git';
+        $dir = '.userv/public-git';
         $repo = $2;
     } else {
         $user = 'webmaster';
         $dir = '/u2/git-repos';
         $repo = $path;
     }
-} elsif (m{^git://cabal[.]greenend[.]org[.]uk/~([^/]*)/(.*)$}) {
+} elsif ($server_addr eq '172.31.80.8' and
+         $host eq 'cabal.greenend.org.uk' and
+	 $path =~ m|^~([^/]*)/(.*)$|) {
     $user = $1;
     $dir = 'cabal-git';
     $repo = $2;
-- 
2.30.2