tighten up ref/file names (warning: possible backward compat breakage)

The backward compat breakage is for people who already have all kinds of arbitrary characters in filenames *and* use `NAME/` rules. See the doc change in this commit for details and mitigation. See this link for background: http://groups.google.com/group/gitolite/browse_thread/thread/8dc5242052b16d0f Thanks to Dan Carpenter for the audit.
2011-10-01 07:32:29 +05:30 · 2011-10-01 07:32:29 +05:30 · a07e0d6b5c
parent 871ed281cc
commit a07e0d6b5c
5 changed files with 124 additions and 1 deletions
--- a/conf/example.gitolite.rc
+++ b/conf/example.gitolite.rc
@ -56,6 +56,7 @@ $SVNSERVE = "";
 # $GL_ADC_PATH = "";
 # $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
 # $GL_HTTP_ANON_USER = "mob";
+# $GL_REF_OR_FILENAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._\@/+ :,-]*$);

 # ------------------------------------------------------------------------------
 # less used/changed variables
--- a/doc/gitolite.rc.mkd
+++ b/doc/gitolite.rc.mkd
@ -260,6 +260,21 @@ on feedback from my users to find or fix issues.
    gitolite that unauthenticated HTTP users are actually authenticated as
    this user.

+  * `$GL_REF_OR_FILENAME_PATT`, string
+
+    Set of allowed characters in refnames (and, if you have `NAME/` rules, in
+    filenames as well).  The default pattern is almost the same as
+    `$REPONAME_PATT` with some additions.
+
+    Although the current code is not at risk in any way even if we let in
+    names containing strings like `$(command)`, and although I intend to make
+    sure things stay that way, it's probably a good idea to trap weird
+    filenames early.  Just to be safe.
+
+    You ought to be able to loosen the pattern by adding other characters to
+    it, if you really need to.  If you do, at least avoid backquotes and the
+    dollar sign!
+
 <a name="_less_used_changed_variables"></a>

 ### less used/changed variables
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@ -213,6 +213,10 @@ sub check_ref {
    # NOTE: the function DIES when access is denied, unless arg 5 is true

    my ($allowed_refs, $repo, $ref, $perm, $dry_run) = @_;
+
+    # sanity check the ref
+    die "invalid characters in ref or filename: $ref\n" unless $ref =~ $GL_REF_OR_FILENAME_PATT;
+
    my @allowed_refs = sort { $a->[0] <=> $b->[0] } @{$allowed_refs};
    for my $ar (@allowed_refs) {
        my $refex = $ar->[1];
--- a/src/gitolite_rc.pm
+++ b/src/gitolite_rc.pm
@ -9,7 +9,7 @@ use Exporter 'import';
@EXPORT = qw(
    $ABRT $WARN
    $R_COMMANDS $W_COMMANDS
-    $REPONAME_PATT $USERNAME_PATT $REPOPATT_PATT
+    $REPONAME_PATT $USERNAME_PATT $REPOPATT_PATT $GL_REF_OR_FILENAME_PATT
    $ADC_CMD_ARGS_PATT
    $BIG_INFO_CAP
    $current_data_version
@ -48,6 +48,8 @@ $REPONAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@/+-]*$);
 $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@+-]*$);
 # same as REPONAME, but used for wildcard repos, allows some common regex metas
 $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z[][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/,-]*$);
+# pattern for refnames pushed or names of files changed
+$GL_REF_OR_FILENAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._\@/+ :,-]*$);

 # ADC commands and arguments must match this pattern
 $ADC_CMD_ARGS_PATT=qr(^[0-9a-zA-Z._\@/+:-]*$);
--- a/t/t69-bad-ref-file-names
+++ b/t/t69-bad-ref-file-names
@ -0,0 +1,101 @@
+cd $TESTDIR
+$TESTDIR/rollback || die "rollback failed"
+# ----------
+
+# vim: syn=sh:
+# ----------
+name "setup"
+echo "
+    repo aa
+        RW+                 =   @all
+" | ugc
+
+# reasonably complex setup; we'll do everything from one repo though
+cd ~/td
+rm -rf aa
+runlocal git clone u1:aa
+cd ~/td/aa
+mdc file-1
+name "INTERNAL"
+runlocal git push origin HEAD
+expect "To u1:aa"
+expect_push_ok "\* \[new branch\]      HEAD -> master"
+
+name "push file aa,bb ok"
+mdc aa,bb
+runlocal git push origin HEAD
+expect "To u1:aa"
+expect_push_ok "HEAD -> master"
+
+name "push file aa=bb ok"
+mdc aa=bb
+runlocal git push origin HEAD
+expect "To u1:aa"
+expect_push_ok "HEAD -> master"
+
+name "push to branch dd,ee ok"
+runlocal git push origin master:dd,ee
+expect "To u1:aa"
+expect_push_ok "\* \[new branch\]      master -> dd,ee"
+
+name "push to branch dd=ee fail"
+runlocal git push origin master:dd=ee
+expect "remote: invalid characters in ref or filename: refs/heads/dd=ee"
+expect "remote: error: hook declined to update refs/heads/dd=ee"
+expect "\[remote rejected\] master -> dd=ee (hook declined)"
+expect "error: failed to push some refs to 'u1:aa'"
+
+name "INTERNAL"
+
+cd $TESTDIR
+$TESTDIR/rollback || die "rollback failed"
+# ----------
+
+name "setup"
+echo "
+    repo aa
+        RW+                 =   @all
+        RW+ NAME/           =   @all
+" | ugc -r
+
+# reasonably complex setup; we'll do everything from one repo though
+cd ~/td
+rm -rf aa
+runlocal git clone u1:aa
+cd ~/td/aa
+mdc file-1
+name "INTERNAL"
+runlocal git push origin HEAD
+expect "To u1:aa"
+expect_push_ok "\* \[new branch\]      HEAD -> master"
+
+name "push file aa,bb ok"
+mdc aa,bb
+runlocal git push origin HEAD
+expect "To u1:aa"
+expect_push_ok "HEAD -> master"
+
+name "push file aa=bb fail"
+mdc aa=bb
+runlocal git push origin HEAD
+expect "To u1:aa"
+expect "remote: invalid characters in ref or filename: NAME/aa=bb"
+expect "remote: error: hook declined to update refs/heads/master"
+expect "\[remote rejected\] HEAD -> master (hook declined)"
+expect "error: failed to push some refs to 'u1:aa'"
+
+name "push to branch dd,ee ok"
+runlocal git reset --hard HEAD^
+mdc some-file
+runlocal git push origin master:dd,ee
+expect "To u1:aa"
+expect_push_ok "\* \[new branch\]      master -> dd,ee"
+
+name "push to branch dd=ee fail"
+runlocal git push origin master:dd=ee
+expect "remote: invalid characters in ref or filename: refs/heads/dd=ee"
+expect "remote: error: hook declined to update refs/heads/dd=ee"
+expect "\[remote rejected\] master -> dd=ee (hook declined)"
+expect "error: failed to push some refs to 'u1:aa'"
+
+name "INTERNAL"