From 1e06fea3b6959faeb72d8dca46cd4753ada48637 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Tue, 20 Apr 2010 19:01:05 +0530 Subject: [PATCH] (security) a different fix in place of 5fd9328 SECURITY NOTE: if you deleted or renamed a pubkey file after 5fd9328 went in (April 12th), please: - upgrade asap, then - go to your latest gitolite-admin clone and "git push -f" Otherwise this is not urgent. 5fd9328 (and its minor successor 813a2a9) were about preventing the gitolite admin from sneaking in files to src/ and hooks/ into $GL_ADMINDIR. It seemed easy enough to do this by converting the path-less checkout to a with-paths checkout, but this has caused a worse problem -- deleting a keydir/foo.pub now no longer has an effect; the file still hangs around in the work tree. Ouch! (and thanks to teukka for noticing) We now do this check as a separate step, so the checkout can revert to being path-less. --- hooks/gitolite-admin/post-update | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/hooks/gitolite-admin/post-update b/hooks/gitolite-admin/post-update index 891c273..0d1ba99 100755 --- a/hooks/gitolite-admin/post-update +++ b/hooks/gitolite-admin/post-update @@ -1,9 +1,17 @@ #!/bin/sh +# ensure that the admin is not sneaking in src/ and hooks/ :) +GIT_WORK_TREE=$GL_ADMINDIR git ls-tree --name-only master | + perl -lne 'exit 1 if /^(src|hooks)$/' || { + echo "*** ERROR ***" >&2 + echo "no files/dirs called 'src' or 'hooks' are allowed, sorry" >&2 + echo "until those files are deleted, the post-update hook will not run" >&2 + exit 1 + } + # checkout the master branch to $GL_ADMINDIR # (the GL_ADMINDIR env var would have been set by gl-auth-command) -GIT_WORK_TREE=$GL_ADMINDIR git checkout -f master -- \ - `git ls-tree --name-only master | perl -lne 'print unless /^(src|hooks)$/'` +GIT_WORK_TREE=$GL_ADMINDIR git checkout -f master od=$PWD cd $GL_ADMINDIR