From a9824464e5729f1c8b031b491c384a49a199d4ff Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Wed, 13 Jan 2010 14:59:45 +0530 Subject: [PATCH] update hook: anchor refex with ^ when matching refs Currently, a line like RW foo = user1 allows user1 to push any ref that contains the string refs/heads/foo. This includes refs like refs/heads/foo refs/heads/foobar refs/heads/foo/bar which is fine; that is what is intended. (You can always use foo$ instead of foo if you want to prevent the latter two). Similarly, RW refs/foo = user1 allows refs/foo refs/foobar refs/foo/bar Now, I don't see this as a "security risk" but the fact is that this allows someone to clutter your repo with junk like refs/bar/refs/heads/foo refs/heads/bar/refs/heads/foo (or, with the second config line example, refs/bar/refs/foo refs/heads/bar/refs/foo ) My personal advice is if you find someone doing that intentionally, you should probably take him out and shoot him [*], but since now *two* people have complained about this, here goes... ---- [*] you don't have to take him out if you don't want to --- src/hooks/update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hooks/update b/src/hooks/update index a3c1be4..c1ff18f 100755 --- a/src/hooks/update +++ b/src/hooks/update @@ -100,7 +100,7 @@ sub check_ref { for my $ar (@allowed_refs) { $refex = (keys %$ar)[0]; # refex? sure -- a regex to match a ref against :) - next unless $ref =~ /$refex/; + next unless $ref =~ /^$refex/; die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-'; # as far as *this* ref is concerned we're ok