aboutsummaryrefslogtreecommitdiffstats
path: root/custom
diff options
context:
space:
mode:
authorNiklas Goerke <github@niklasgoerke.de>2020-10-07 11:55:13 +0200
committerGitHub <noreply@github.com>2020-10-07 12:55:13 +0300
commit8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9 (patch)
treef2f1e994d49072ced1891e2ff36e55be95b8b2e9 /custom
parentd49242287db18fe56991aa66afae0a376bfe9874 (diff)
downloadgitea-8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9.tar.gz
gitea-8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9.zip
Mitigate Security vulnerability in the git hook feature (#13058)
* Extend git hook warning in the UI. Git hooks are a dangerous feature, administrators should be warned before giving the git hook privilege to users. * Disable Git hooks by default and add warning. Git hooks are a dangerous features (see warning text) that should only be enabled if the administrator was informed about the risk involved. Co-authored-by: Niklas Goerke <goerke@fzi.de>
Diffstat (limited to 'custom')
-rw-r--r--custom/conf/app.example.ini9
1 files changed, 7 insertions, 2 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 44c448a4e3..113e0e3754 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -512,8 +512,13 @@ REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
MIN_PASSWORD_LENGTH = 6
; Set to true to allow users to import local server paths
IMPORT_LOCAL_PATHS = false
-; Set to true to prevent all users (including admin) from creating custom git hooks
-DISABLE_GIT_HOOKS = false
+; Set to false to allow users with git hook privileges to create custom git hooks.
+; Custom git hooks can be used to perform arbitrary code execution on the host operating system.
+; This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.
+; By modifying the Gitea database, users can gain Gitea administrator privileges.
+; It also enables them to access other resources available to the user on the operating system that is running the Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
+; WARNING: This maybe harmful to you website or your operating system.
+DISABLE_GIT_HOOKS = true
; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
;Comma separated list of character classes required to pass minimum complexity.