[security] Spoofing Hostname leads to Write-Access on any system

[cHolzberger]

git-webui/src/libexec/git-core/git-webui

Line 145 in dee7c19

host = self.headers.get("Host", "").split(":")[0]

You can spoof the localhost hostname from any system able to connect to gitweb and by this code anyone able to access webui by the hostname "localhost" have writeaccess.

Curl Example:
curl 'http://192.168.X.X:8000/viewonly' -H "Host: localhost" -> 0

Also accessing localhost by another Hostname results in no write access
curl 'http://localhost:8000/viewonly' -H "Host: exthost" -> 1