suzanne.soy/racket-pkg-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove support for unencrypted git transports. (git:// and http://)

Browse Source 
Downloading executable code from a git repository that doesn't have
encryption is inadvisable since it can be intercepted and replaced by
a man-in-the-middle attacker. GitHub recommends doing clones over
HTTPS, and according to mflatt even if you request the git://
transport it will be ignored and https:// is used scenes anyway, so we
shouldn't claim to support it.

It may make sense to allow SSH connections as well as HTTPS, but I
don't think the "transport" drop-down is a good idea for this since
you need to specify a username when making an SSH connection.
This commit is contained in:
Phil Hagelberg 2017-10-08 13:25:06 -07:00 committed by Jay McCarthy
parent da358025bd
commit 180e0c9a87
1 changed files with 3 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/site.rkt
View File

@ -62,7 +62,7 @@
"https://pkgd.racket-lang.org")) "https://pkgd.racket-lang.org"))
(define default-empty-parsed-package-source (define default-empty-parsed-package-source
(git-source "git://github.com/" #f 'git 'git "github.com" #f "" "" "")) (git-source "https://github.com/" #f 'git 'git "github.com" #f "" "" ""))
(define COOKIE "pltsession") (define COOKIE "pltsession")
@ -1122,18 +1122,7 @@
,(textfield "g_host_port" "Host" g-host+port) ,(textfield "g_host_port" "Host" g-host+port)
,(textfield "g_repo" "Repository" g-repo "user/repo") ,(textfield "g_repo" "Repository" g-repo "user/repo")
,(textfield "g_commit" "Branch or commit" g-commit "master") ,(textfield "g_commit" "Branch or commit" g-commit "master")
,(textfield "g_path" "Path within repository" g-path) ,(textfield "g_path" "Path within repository" g-path))))))
,(row #:id (group-name "g_transport")
0 3
(label (control-name "g_transport") "Transport")
0 9
`(select ((id ,(control-name "g_transport"))
(name ,(control-name "g_transport")))
,@(for/list [(t (list "git" "https" "http"))]
`(option ((value ,t)
,@(maybe-splice (equal? t g-transport)
'(selected "selected")))
,t)))))))))
(tr (td ((colspan "2")) (tr (td ((colspan "2"))
(div ((class "form-inline")) (div ((class "form-inline"))
@ -1266,12 +1255,10 @@
(g (string->symbol (format "version__~a__~a" version name)) d)) (g (string->symbol (format "version__~a__~a" version name)) d))
(define type (vg 'type "simple")) (define type (vg 'type "simple"))
(define simple_url (vg 'simple_url "")) (define simple_url (vg 'simple_url ""))
(define g_transport (vg 'g_transport ""))
(define g_host_port (vg 'g_host_port "")) (define g_host_port (vg 'g_host_port ""))
(define g_repo0 (vg 'g_repo "")) (define g_repo0 (vg 'g_repo ""))
(define g_repo (cond (define g_repo (cond
[(regexp-match #rx"[.]git$" g_repo0) g_repo0] [(regexp-match #rx"[.]git$" g_repo0) g_repo0]
[(equal? g_transport "git") g_repo0]
[else (string-append g_repo0 ".git")])) [else (string-append g_repo0 ".git")]))
(define g_commit0 (vg 'g_commit "")) (define g_commit0 (vg 'g_commit ""))
(define g_path (vg 'g_path "")) (define g_path (vg 'g_path ""))
@ -1285,7 +1272,7 @@
(match type (match type
["simple" simple_url] ["simple" simple_url]
["git" (unparse-package-source (git-source "" #f #f ["git" (unparse-package-source (git-source "" #f #f
(string->symbol g_transport) "https://"
g_host g_host
g_port g_port
g_repo g_repo