From a15e910cf8b0ff305f512cddcb64cbf76f4132b1 Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@sita-lt.atc.tcs.com>
Date: Fri, 11 Dec 2009 21:37:33 +0530
Subject: [PATCH] auth: dont allow trailing slash in reponames...

...like "git clone host:foo/", even if it matches "repo foo/.*"

NOTE: I expect a few more of these special cases to be found as time
goes on and people find new ways to abuse the regex system, whether it
is done intentionally or not.  Anything not fixable by changing the
config file will be fixed in the code asap.

This one, for instance, seems fixable by using "foo/.+" instead of
"foo/.*".  But it actually isn't; the user can do "git clone host:foo//"
and bypass that :(

Still I suspect most situations will get an entry in the "then don't do
that" file :)

----

    patient: "doc, it hurts when I do this"
    doc:     "then don't do that"
---
 src/gl-auth-command | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/gl-auth-command b/src/gl-auth-command
index cc4b5f9..3f0ea3b 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -103,6 +103,7 @@ my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:.git)?'/);
 die "bad command: $cmd.  Make sure the repo name is exactly as in your config\n"
     unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS )
         and  $repo and   $repo =~ $REPONAME_PATT );
+die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
 
 # ----------------------------------------------------------------------------
 #       first level permissions check