smeserver-gitweb/contribs8/smeserver-gitweb-1.1.0-remove_runtime_access_to_networks_db.patch

diff -urN smeserver-gitweb-1.1.0.org/createlinks smeserver-gitweb-1.1.0/createlinks
--- smeserver-gitweb-1.1.0.org/createlinks      2013-02-10 17:36:15.000000000 +1030
+++ smeserver-gitweb-1.1.0/createlinks  2016-02-17 10:07:37.486757581 +1030
@@ -6,7 +6,7 @@
 # Domain Modify
 # -------------
 
-for my $event ( qw( domain-modify ) )
+for my $event ( qw( domain-modify  update-ifcfg ) )
 {
   safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
   templates2events("/etc/gitweb.conf", $event)
diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress
--- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress      1970-01-01 09:30:00.000000000 +0930
+++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress  2016-02-17 10:15:03.499265848 +1030
@@ -0,0 +1,13 @@
+{
+  # Retrieve the server local IP address
+  use esmith::NetworksDB;
+
+  my $networks_db = esmith::NetworksDB->open_ro() or
+    die "Could not open the NetworksDB";
+
+  # Get server private IP address and mask for access to the local network only
+  my $network_setting = $networks_db->local_access_spec('private');
+
+  $OUT .= "# The server local IP address and mask\n";
+  $OUT .= "\$local_network_setting = \"" . $network_setting . "\"\;\n";
+}
diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook
--- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook      2016-02-17 10:05:07.105784576 +1030
+++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook  2016-02-17 10:13:43.902517553 +1030
@@ -17,12 +17,11 @@
 # Install a export authorisation hook to ensure Gitweb only list thise projects that the user
 # is authorised to see.
 #                               local_unauthorised internet_unauthorised local_authorised internet_authorised
-# internet anonymous pull                Yes                Yes                Yes               
+# internet anonymous pull                Yes                Yes                Yes
 # local    anonymous pull                Yes                No                 Yes
 # internet && authorised pull            Yes                No                 Yes
 # local    && authorised pull            Yes                No                 Yes
 
-use esmith::NetworksDB;
 use esmith::GitDB;
 use MIME::Base64;
 use NetAddr::IP;
@@ -38,49 +37,47 @@
     auth_error("401 Unauthorized",
                "You wanted to provide authorization, so I asked for it.");
   \}
-  
+
   # Don't allow hidden .git dirs (like the toplevel one)
   return 0 if ($projectdir =~ m-/.git-);
-  
+
   if ($action =~ m/^(?:opml|project_list|project_index)$/) \{
     # They're viewing an index.
- 
+
        # If gitweb-noindex is in the repo, disallow it now.
        return 0 if (-e "$projectdir/gitweb-noindex");
-  
+
     $isindex = 1;
   \}
-  
-  # Check authorisation 
-  
-  my $repository_view_allowed = 0;  
+
+  # Check authorisation
+
+  my $repository_view_allowed = 0;
   my $internet_access_allowed = 0;
   my $host_request_allowed    = 0; # Will be 1 when the view is allowed based on the current host address and 'allow_access_from' setting
   my $anonymous_pull          = 0; # Will be 1 when the repository does not require pull authorisation
-  my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository 
+  my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository
   my $pull_users              = '';
 
   # Retrieve project properties from DB
-  
+
   if($projectdir =~ (/(.*?)\.git/)) \{
     my $projectname = basename($1);
 
     # Retrieve project properties from database
     my $git_db = esmith::GitDB->open_ro() or
       auth_error( "500 Internal Error", "Could not open the Git repository database!\nDoes the web server have permission to read the git database file?" );
-      
-    my $repository = $git_db->get($projectname) or 
+
+    my $repository = $git_db->get($projectname) or
       auth_error( "500 Internal Error", "The git repository '$projectname' does not seem to exist in the repository database!" );
-      
-    my %properties = $repository->props;  
+
+    my %properties = $repository->props;
 
     # Check if the request is from a local IP address for this host
-    my $networks_db = esmith::NetworksDB->open_ro() or
-      auth_error( "500 Internal Error", "Could not open the networks database!" );
-      
+
     # Get server private IP address and mask for access to the local network only
-    my @network_setting = split(/[\/ ]/, $networks_db->local_access_spec('private'));
-    
+    my @network_setting = split(/[\/ ]/, $local_network_setting );
+
     # Check if the REMOTE_ADDR is within the range of the 'private' address for this server
     my $remote_addr = NetAddr::IP->new( $ENV\{'REMOTE_ADDR'\} );
     if( $remote_addr->within( new NetAddr::IP @network_setting[1], @network_setting[2] ) ) \{
@@ -131,7 +128,7 @@
       return 0; # EXIT NO AUTHORISATION SUPPLIED -> DENY REPOSITORY VIEW
     \}
   \}
-  
+
   # Not reached. No access.
   return 0;
 \};
1	unnilennium	1.1	diff -urN smeserver-gitweb-1.1.0.org/createlinks smeserver-gitweb-1.1.0/createlinks
2			--- smeserver-gitweb-1.1.0.org/createlinks 2013-02-10 17:36:15.000000000 +1030
3			+++ smeserver-gitweb-1.1.0/createlinks 2016-02-17 10:07:37.486757581 +1030
4			@@ -6,7 +6,7 @@
5			# Domain Modify
6			# -------------
7
8			-for my $event ( qw( domain-modify ) )
9			+for my $event ( qw( domain-modify update-ifcfg ) )
10			{
11			safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
12			templates2events("/etc/gitweb.conf", $event)
13			diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress
14			--- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress 1970-01-01 09:30:00.000000000 +0930
15			+++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress 2016-02-17 10:15:03.499265848 +1030
16			@@ -0,0 +1,13 @@
17			+{
18			+ # Retrieve the server local IP address
19			+ use esmith::NetworksDB;
20			+
21			+ my $networks_db = esmith::NetworksDB->open_ro() or
22			+ die "Could not open the NetworksDB";
23			+
24			+ # Get server private IP address and mask for access to the local network only
25			+ my $network_setting = $networks_db->local_access_spec('private');
26			+
27			+ $OUT .= "# The server local IP address and mask\n";
28			+ $OUT .= "\$local_network_setting = \"" . $network_setting . "\"\;\n";
29			+}
30			diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook
31			--- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook 2016-02-17 10:05:07.105784576 +1030
32			+++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook 2016-02-17 10:13:43.902517553 +1030
33			@@ -17,12 +17,11 @@
34			# Install a export authorisation hook to ensure Gitweb only list thise projects that the user
35			# is authorised to see.
36			# local_unauthorised internet_unauthorised local_authorised internet_authorised
37			-# internet anonymous pull Yes Yes Yes
38			+# internet anonymous pull Yes Yes Yes
39			# local anonymous pull Yes No Yes
40			# internet && authorised pull Yes No Yes
41			# local && authorised pull Yes No Yes
42
43			-use esmith::NetworksDB;
44			use esmith::GitDB;
45			use MIME::Base64;
46			use NetAddr::IP;
47			@@ -38,49 +37,47 @@
48			auth_error("401 Unauthorized",
49			"You wanted to provide authorization, so I asked for it.");
50			\}
51			-
52			+
53			# Don't allow hidden .git dirs (like the toplevel one)
54			return 0 if ($projectdir =~ m-/.git-);
55			-
56			+
57			if ($action =~ m/^(?:opml\|project_list\|project_index)$/) \{
58			# They're viewing an index.
59			-
60			+
61			# If gitweb-noindex is in the repo, disallow it now.
62			return 0 if (-e "$projectdir/gitweb-noindex");
63			-
64			+
65			$isindex = 1;
66			\}
67			-
68			- # Check authorisation
69			-
70			- my $repository_view_allowed = 0;
71			+
72			+ # Check authorisation
73			+
74			+ my $repository_view_allowed = 0;
75			my $internet_access_allowed = 0;
76			my $host_request_allowed = 0; # Will be 1 when the view is allowed based on the current host address and 'allow_access_from' setting
77			my $anonymous_pull = 0; # Will be 1 when the repository does not require pull authorisation
78			- my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository
79			+ my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository
80			my $pull_users = '';
81
82			# Retrieve project properties from DB
83			-
84			+
85			if($projectdir =~ (/(.*?)\.git/)) \{
86			my $projectname = basename($1);
87
88			# Retrieve project properties from database
89			my $git_db = esmith::GitDB->open_ro() or
90			auth_error( "500 Internal Error", "Could not open the Git repository database!\nDoes the web server have permission to read the git database file?" );
91			-
92			- my $repository = $git_db->get($projectname) or
93			+
94			+ my $repository = $git_db->get($projectname) or
95			auth_error( "500 Internal Error", "The git repository '$projectname' does not seem to exist in the repository database!" );
96			-
97			- my %properties = $repository->props;
98			+
99			+ my %properties = $repository->props;
100
101			# Check if the request is from a local IP address for this host
102			- my $networks_db = esmith::NetworksDB->open_ro() or
103			- auth_error( "500 Internal Error", "Could not open the networks database!" );
104			-
105			+
106			# Get server private IP address and mask for access to the local network only
107			- my @network_setting = split(/[\/ ]/, $networks_db->local_access_spec('private'));
108			-
109			+ my @network_setting = split(/[\/ ]/, $local_network_setting );
110			+
111			# Check if the REMOTE_ADDR is within the range of the 'private' address for this server
112			my $remote_addr = NetAddr::IP->new( $ENV\{'REMOTE_ADDR'\} );
113			if( $remote_addr->within( new NetAddr::IP @network_setting[1], @network_setting[2] ) ) \{
114			@@ -131,7 +128,7 @@
115			return 0; # EXIT NO AUTHORISATION SUPPLIED -> DENY REPOSITORY VIEW
116			\}
117			\}
118			-
119			+
120			# Not reached. No access.
121			return 0;
122			\};