review all user input, system(), and ``

src/commands/desc

@@ -16,14 +16,18 @@ repo=$1; shift
 
 # this shell script takes arguments that are completely under the user's
 # control, so make sure you quote those suckers!
-
 gitolite creator "$repo" $GL_USER || die You are not authorised
+# if it passes, $repo is a valid repo name so it is known to contain only sane
+# characters.  This is because 'gitolite creator' return true only if there
+# *is* a repo of that name and it has a gl-creator file that contains the same
+# text as $GL_USER.
+
 descfile=`gitolite query-rc GL_REPO_BASE`/"$repo".git/description
 
 if [ -z "$1" ]
 then
-    [ -r $descfile ] && cat $descfile
+    [ -r "$descfile" ] && cat "$descfile"
     exit 0
 fi
 
-echo "$*" > $descfile
+echo "$*" > "$descfile"

src/commands/perms

@@ -69,6 +69,7 @@ sub setperms {
     my ( $op, $role, $user ) = @_;
     _die "Invalid syntax.  Please re-run with '-h' for detailed usage" if $op ne '+' and $op ne '-';
     _die "Invalid role '$role'; check the rc file" if not $rc{ROLES}{$role};
+    _die "Invalid user '$user'" if not $user =~ $USERNAME_PATT;
 
     my $text = '';
     my @text = slurp($pf) if -f $pf;

src/commands/post-compile/ssh-authkeys

@@ -87,6 +87,7 @@ sub fp {
     my $in = shift || '';
     if ( $in =~ /\.pub$/ ) {
         # single pubkey file
+        _die "bad pubkey file '$in'" unless $in =~ $REPONAME_PATT;
         return fp_file($in);
     } elsif ( -f $in ) {
         # an authkeys file
@@ -99,7 +100,7 @@ sub fp {
 
 sub fp_file {
     my $f  = shift;
-    my $fp = `ssh-keygen -l -f $f`;
+    my $fp = `ssh-keygen -l -f '$f'`;
     chomp($fp);
     _die "fingerprinting failed for $f" unless $fp =~ /([0-9a-f][0-9a-f](:[0-9a-f][0-9a-f])+)/;
     $fp = $1;