deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

MAJOR BUGFIX: disallow "hooks" directory in admin repo

Browse source 
Although this is not a "hole" that allows a normal user to bypass
controls, I still consider this a hole in the sense that I want to
separate "admin push" rights from "shell access on server" rights.

(I realise that most people don't make this distinction, but I do, and
for me and most sites I consult for it is important).

Thanks to drue on #gitolite who pointed it out excitedly, and apologies
for killing what he thought of as a feature!
This commit is contained in:
Sitaram Chamarty 2012-05-23 03:17:58 +05:30
parent dd083085cf
commit 5298a79cb5
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/lib/Gitolite/Hooks/PostUpdate.pm
View file

@ -23,7 +23,7 @@ sub post_update {
# this is the *real* post_update hook for gitolite
tsh_try("git ls-tree --name-only master");
_die "no files/dirs called 'hooks' or 'logs' are allowed" if tsh_text() =~ /^(hooks|logs)$/;
_die "no files/dirs called 'hooks' or 'logs' are allowed" if tsh_text() =~ /^(hooks|logs)$/m;
{
local $ENV{GIT_WORK_TREE} = $rc{GL_ADMIN_BASE};