From e1e64bd9fed2ecbec4ba8d28f6d6efd1f6326975 Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Mon, 13 Jul 2020 09:53:24 -0700
Subject: [PATCH] apache.conf.in: provide extra blob_plain checking

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
---
 apache.conf.in | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/apache.conf.in b/apache.conf.in
index 00e4c0a..3c0fd48 100644
--- a/apache.conf.in
+++ b/apache.conf.in
@@ -131,8 +131,8 @@
 	<IfModule rewrite_module>
 		RewriteEngine On
 
-		# Snapshot requests are only allowed via the PATH_INFO mechanism
-		RewriteCond %{QUERY_STRING}	(^|[&;])a=snapshot([&;]|$) [NC]
+		# Snapshot/blob_plain requests are only allowed via the PATH_INFO mechanism
+		RewriteCond %{QUERY_STRING}	(^|[&;])a=(?:snapshot|blob_plain)([&;]|$) [NC]
 		RewriteRule .? - [NS,F,L]
 
 		# Redirect snapshot requests to snapshot.cgi
@@ -142,6 +142,36 @@
 				snapshot(?:/.*)?)$" \
 			@@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
 
+		# Detect blob_plain requests with is_blob_plain
+		RewriteRule \
+			"(?x)^/(?![bchr]/)(?:w/)? \
+			((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git)/ \
+				blob_plain(?:/.*)?$" \
+			- [E=is_blob_plain:$1]
+
+		# Reject blob_plain requests if .no_blob_plain file exists and is not zero bytes
+		RewriteCond "%{ENV:is_blob_plain}" !=""
+		RewriteCond "@@reporoot@@/%{ENV:is_blob_plain}/.no_blob_plain" -s
+		RewriteRule ^ - [NS,F]
+
+		# Reject blob_plain requests if .no_blob_plain file exists AND mismatched Referer
+		# We require the referer host and port and git project to match the current request
+		RewriteCond "%{ENV:is_blob_plain}" !=""
+		RewriteCond "@@reporoot@@/%{ENV:is_blob_plain}/.no_blob_plain" -f
+		RewriteRule ^ - [C,E=is_blob_ref:1]
+		RewriteRule ^ - [C,E=ref_host:]
+		RewriteRule ^ - [E=ref_path:]
+		RewriteCond "%{ENV:is_blob_ref}" =1
+		RewriteCond "%{HTTP_REFERER}" "^https?://(?:[^@/]*@)?([^@:/?#]+(?::[0-9]+)?)"
+		RewriteRule ^ - [E=ref_host:%1]
+		RewriteCond "%{ENV:is_blob_ref}" =1
+		RewriteCond "%{HTTP_REFERER}" "^https?://(?:[^@/]*@)?[^@:/?#]+(?::[0-9]*)?(?:/w)?(.*)$"
+		RewriteRule ^ - [E=ref_path:%1]
+		RewriteCond "%{ENV:is_blob_ref}" =1
+		RewriteCond "@%{HTTP_HOST}=%{ENV:ref_host}@" "!^@([^=]*)=\1@$" [NC,OR]
+		RewriteCond "@/%{ENV:is_blob_plain}=%{ENV:ref_path}" "!^@([^=]*)=\1(?:[/?#]|$)"
+		RewriteRule ^ - [NS,F]
+
 		# Make the leading /h optional for requests that name an existing .html template
 		RewriteCond @@webroot@@/$1 !-f
 		RewriteCond @@cgiroot@@/$1 !-f
-- 
2.11.4.GIT