From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by dcvr.yhbt.net (Postfix) with ESMTP id 3AA891F5AE for ; Sun, 12 Jul 2020 23:07:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728090AbgGLXHW (ORCPT ); Sun, 12 Jul 2020 19:07:22 -0400 Received: from smtprelay02.ispgateway.de ([80.67.31.36]:54678 "EHLO smtprelay02.ispgateway.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727785AbgGLXHW (ORCPT ); Sun, 12 Jul 2020 19:07:22 -0400 Received: from [178.112.81.104] (helo=isticktoit.net) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1jul1x-0004H0-SK; Mon, 13 Jul 2020 01:05:09 +0200 Date: Mon, 13 Jul 2020 01:05:08 +0200 From: Tobias Girstmair To: Junio C Hamano Cc: git@vger.kernel.org Subject: Re: [PATCH v3] gitweb: Replace tag with full URLs (when using PATH_INFO) Message-ID: <20200712230508.GA1000433@isticktoit.net> References: <20200711203947.23520-1-tobi@isticktoit.net> <20200712183329.3358-1-tobi@isticktoit.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Df-Sender: dC5naXJzdG1haXJAaXN0aWNrdG9pdC5uZXQ= Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On Sun, Jul 12, 2020 at 02:00:01PM -0700, Junio C Hamano wrote: >Sorry, but I am not sure the description is understandable to the >intended readers of this sentence. > >Where does this README.html come from? gitweb reads a README.html from each repository to display on the summary page. 'man 1 gitweb' has a paragraph on it under "Per-repository gitweb configuration". >Is it stored in the history of the repository as a blob, and sent to >the browser with a call to git_blob_plain() sub? Wouldn't that No, it's a plain file in a bare repository, placed there either manually or by a post-update hook. >codepath send the untrusted end-user data as an attachment, in which >case relative links in the blob do not get resolved relative to the >base URL anyway, no? I'm not exactly sure what you're saying. gitweb includes the README.html as-is (i.e. without escaping). If the user wanted to include an image, they'd write (assuming this patch landed). In practise, these URLs will be rewritten by the markdown-to-html converter.