abort on suspicious ref names

(and the other Dan Carpenter finding too, while we're about it!) Note that neither of these is an actual issue, (and even less likely now that gitolite is pure perl and no shell metas used) but it's just playing safe.
2012-03-20 23:51:18 +05:30 · 2012-03-20 23:51:18 +05:30 · 139c08d3a1
parent 999f9cd39d
commit 139c08d3a1
3 changed files with 108 additions and 0 deletions
--- a/src/Gitolite/Conf/Load.pm
+++ b/src/Gitolite/Conf/Load.pm
@ -71,6 +71,9 @@ sub access {
    my $deny_rules = option($repo, 'deny-rules');
    load($repo);

+    # sanity check the only piece the user can control
+    _die "invalid characters in ref or filename: $ref\n" unless $ref =~ $REF_OR_FILENAME_PATT;
+
    # when a real repo doesn't exist, ^C is a pre-requisite for any other
    # check to give valid results.
    if ( $aa ne '^C' and $repo !~ /^\@/ and $repo =~ $REPONAME_PATT and repo_missing($repo) ) {
--- a/src/gitolite-shell
+++ b/src/gitolite-shell
@ -45,6 +45,10 @@ sub in_http {
 }

 sub in_ssh {
+    $ENV{SSH_ORIGINAL_COMMAND} ||= '';
+    my $soc = $ENV{SSH_ORIGINAL_COMMAND};
+    $soc =~ s/[\n\r]+/<<newline>>/g;
+    _die "I don't like newlines in the command: $soc\n" if $ENV{SSH_ORIGINAL_COMMAND} ne $soc;
 }

 # ----------------------------------------------------------------------
--- a/t/invalid-refnames-filenames.t
+++ b/t/invalid-refnames-filenames.t
@ -0,0 +1,101 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+
+# this is hardcoded; change it if needed
+use lib "src";
+use Gitolite::Test;
+
+# invalid refnames
+# ----------------------------------------------------------------------
+
+try "plan 57";
+try "DEF POK = !/DENIED/; !/failed to push/";
+
+confreset; confadd '
+    repo aa
+        RW+                 =   @all
+';
+
+try "ADMIN_PUSH set1; !/FATAL/" or die text();
+
+try "
+
+cd ..
+rm -rf aa
+glt clone u1 file:///aa
+cd aa
+tc v-869
+
+glt push u1 origin HEAD
+        /To file:///aa/
+        POK; /\\* \\[new branch\\]      HEAD -> master/
+
+# push file aa,bb ok
+tc  aa,bb
+glt push u1 origin HEAD
+        /To file:///aa/
+        POK; /HEAD -> master/
+
+# push file aa=bb ok
+tc  aa=bb
+glt push u1 origin HEAD
+        /To file:///aa/
+        POK; /HEAD -> master/
+
+# push to branch dd,ee ok
+glt push u1 origin master:dd,ee
+        /To file:///aa/
+        POK; /\\* \\[new branch\\]      master -> dd,ee/
+
+# push to branch dd=ee fail
+glt push u1 origin master:dd=ee
+        /invalid characters in ref or filename: refs/heads/dd=ee/
+        reject
+";
+
+confreset; confadd '
+    repo aa
+        RW+                 =   @all
+        RW+ NAME/           =   @all
+';
+
+try "ADMIN_PUSH set1; !/FATAL/" or die text();
+
+try "
+
+cd ..
+rm -rf aa
+glt clone u1 file:///aa
+cd aa
+tc  file-1
+
+glt push u1 origin HEAD
+        /To file:///aa/
+        POK; /\\* \\[new branch\\]      HEAD -> master/
+
+# push file aa,bb ok
+tc  aa,bb
+glt push u1 origin HEAD
+        /To file:///aa/
+        POK; /HEAD -> master/
+
+# push file aa=bb fail
+tc  aa=bb
+glt push u1 origin HEAD
+        /To file:///aa/
+        /invalid characters in ref or filename: VREF/NAME/aa=bb/
+        reject
+
+# push to branch dd,ee ok
+git reset --hard HEAD^
+tc  some-file
+glt push u1 origin master:dd,ee
+        /To file:///aa/
+        POK; /\\* \\[new branch\\]      master -> dd,ee/
+
+# push to branch dd=ee fail
+glt push u1 origin master:dd=ee
+        /invalid characters in ref or filename: refs/heads/dd=ee/
+        reject
+";