From 5deffee3cff5f9a13c59b8c1e357c5a32487d1c3 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Fri, 9 Apr 2010 16:48:46 +0530 Subject: [PATCH] security: gitolite admin can get shell access by using screwy pubkey name example: keydir/sitaram@$(some-dangerous-command; echo hi).pub (still won't get the reward; that is only if a non-admin user gets privs!) --- src/gl-compile-conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/gl-compile-conf b/src/gl-compile-conf index 575ee61..1fb942b 100755 --- a/src/gl-compile-conf +++ b/src/gl-compile-conf @@ -511,6 +511,12 @@ print $newkeys_fh "# gitolite start\n"; wrap_chdir($GL_KEYDIR); for my $pubkey (glob("*")) { + # security check (thanks to divVerent for catching this) + unless ($pubkey =~ $USERNAME_PATT) { + print STDERR "$pubkey contains some unsavoury characters; ignored...\n"; + next; + } + # lint check 1 unless ($pubkey =~ /\.pub$/) {