[security] Spoofing Hostname leads to Write-Access on any system

[cHolzberger]

https://github.com/alberthier/git-webui/blob/dee7c192b2ec063cf638c3ec6e99589812b9d231/src/libexec/git-core/git-webui#L145

You can spoof the localhost hostname from any system able to connect to gitweb and by this code anyone able to access webui by the hostname "localhost" have writeaccess.

Curl Example: curl 'http://192.168.X.X:8000/viewonly' -H "Host: localhost" -> 0

Also accessing localhost by another Hostname results in no write access curl 'http://localhost:8000/viewonly' -H "Host: exthost" -> 1