diff --git a/gl-auth-command b/gl-auth-command index cd3f450..1fd294c 100755 --- a/gl-auth-command +++ b/gl-auth-command @@ -65,9 +65,10 @@ my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere! my $cmd = $ENV{SSH_ORIGINAL_COMMAND} or die "no SSH_ORIGINAL_COMMAND? I'm not a shell, $user!"; -# we don't like newlines or semicolons in SSH_ORIGINAL_COMMAND +# this check is largely for comic value if someone tries something outrageous; +# $cmd gets split and the pieces examined more thoroughly later anyway die "$cmd??? you're a funny guy..." - if $cmd =~ /[;\n]/; + if $cmd =~ /[<>&|;\n]/; # split into command and arguments; the pattern allows old style as well as # new style: "git-subcommand arg" or "git subcommand arg", just like gitosis @@ -77,7 +78,7 @@ die "$cmd??? you're a funny guy..." # git-receive-pack 'reponame.git' # including the single quotes -my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'(.*).git'/); +my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*).git'/); die "$verb? I don't do odd jobs, sorry..." unless $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS; @@ -91,7 +92,9 @@ die "I don't like the look of $repo, sorry!" # we know the user and repo; we just need to know what perm he's trying my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W'); -die "access denied" unless $repos{$repo}{$perm}{$user}; +die "$perm access for $repo denied to $user" + unless $repos{$repo}{$perm}{$user} + or $repos{$repo}{$perm}{'@all'}; # ---------------------------------------------------------------------------- # over to git now diff --git a/update-hook.pl b/update-hook.pl index 2e98911..709266e 100755 --- a/update-hook.pl +++ b/update-hook.pl @@ -67,8 +67,10 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40); # should $perm = '+' if $ref =~ m(refs/heads/) and $oldsha ne $merge_base; -my $allowed_refs = $repos{$ENV{GL_REPO}}{$perm}{$ENV{GL_USER}}; -for my $refex (@$allowed_refs) +my @allowed_refs; +push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{$ENV{GL_USER}} }; +push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{'@all'} }; +for my $refex (@allowed_refs) # refex? sure -- a regex to match a ref against :) { if ($ref =~ /$refex/)