Add server config option for always rendering html code

[pgaskin]

• Gitea version (or commit ref): 1.0.1
• Git version: 2.9.3
• Operating system: Alpine Linux
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

I have a few repos of HTML code, in a repository on a server which only me and people I trust access. I would like there to be a server configuration option to always render html in repos. I am willing to add this feature myself.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41023445-add-server-config-option-for-always-rendering-html-code?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github).

[tboerger]

Are you talking about a feature like #302?

[pgaskin]

Not exactly

[pgaskin]

More like allowing rendering of files in the repo.

[tboerger]

Can you explain the use case for that? I don't get it yet ;)

[pgaskin]

I have repository with HTML templates. I would like to preview them easily without them being in a separate location. I trust all users with write access to the server, so I want to simplify things by allowing rendering it right out of the repository.

[pgaskin]

Something like changing the ServeData function in routers/repo/download.go to this:

func ServeData(ctx *context.Context, name string, reader io.Reader) error {
	buf := make([]byte, 1024)
	n, _ := reader.Read(buf)
	if n > 0 {
		buf = buf[:n]
	}

	ctx.Resp.Header().Set("Cache-Control", "public,max-age=86400")

	// Google Chrome dislike commas in filenames, so let's change it to a space
	name = strings.Replace(name, ",", " ", -1)

        if setting.Repository.AlwaysRenderRawFiles {
		ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
	} else if base.IsTextFile(buf) || ctx.QueryBool("render") {
		ctx.Resp.Header().Set("Content-Type", "text/plain; charset=utf-8")
	} else if base.IsImageFile(buf) || base.IsPDFFile(buf) {
		ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
	} else {
		ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name))
	}

	ctx.Resp.Write(buf)
	_, err := io.Copy(ctx.Resp, reader)
	return err
}

The setting AlwaysRenderRawFiles would have to be added to setting.go with a default of false (for security)

[pgaskin]

I will open a PR

[pgaskin]

I have opened the PR, and it is ready. I have tested the feature myself too.

[tboerger]

What do others think about that? I don't really like the idea to render every document/file.

[pgaskin]

@tboerger I think that even though it is a security risk in most cases, there may be some cases, including my own, where it is needed. It really is not much of a security risk of there is only a few trusted people who are able to write to our create repositories.

[pgaskin]

@tboerger Also, in the issue about XSS with gogs' current implementation which is a ?render parameter, the author of the issue suggests for the option to be moved to the config file gogs/gogs#3608

[pgaskin]

One example of people needing an option like this: gogs/gogs#2593

[pgaskin]

Another few examples: gogs/gogs#2283 (comment) and gogs/gogs#2283 (comment)

The last one I put cannot be solved using something like GitHub pages because it involves viewing rendered raw history of a file

[tboerger]

IMHO this is something to solve for a separate tool. Many users don't get know how important this option can get

[pgaskin]

What if we do not document the option?

[bkcsoft]

I really don't like undocumented options... Someone will see it in the code and turn it on without knowing the consequences of that... I'm with @tboerger on this one, Gitea is not made to work like a CDN, there are many other projects out there that fit the purpose better. Caddy can even be setup to monitor your git-repo and automagically serve from that.

[bkcsoft]

If I am to be completely honest, I vote to remove the ?render=1 option as well, since it is a huge security-risk... or at least make a config-flag to disable it (though for backwards-compat I might consider having it enabled by default 😒 )

[lunny]

same with #685

[pgaskin]

Doesn't the csrf request token prevent this from being a security risk? If we make it not set the csrf cookie when sending the page, then wouldn't this be perfectly fine?

[strk]

How about clearly describing the security risk, in the current documentation ?
Because I understand the risk you see is already there.

[pgaskin]

@strk Yes, and also, I use this patch in my server, and many of my friends do as well. There have not been any problems so far. How should it be described?

[strk]

@geek1011 as @bkcsoft did on IRC:

18:49 < BKC> okey, here it goes. It is _extremly_ simple to make a HTML-file 
with a small script in that will take your CSRF-token and session-key, send 
those to a server that changes your password and stores that "for later use"

[lunny]

But my point is we can genearte files and push the files to servers.
we can push files via local/ssh/ftp/coloud storage/http and etc.
setup a hook running on Gitea itself.

Copy my point from Gitter.

And we can detect the repo's types. Hugo maybe the first type and other formats.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[stale]

This issue has been automatically closed because of inactivity. You can re-open it if needed.