update hook: anchor refex with ^ when matching refs
Currently, a line like
RW foo = user1
allows user1 to push any ref that contains the string refs/heads/foo.
This includes refs like
refs/heads/foo
refs/heads/foobar
refs/heads/foo/bar
which is fine; that is what is intended. (You can always use foo$
instead of foo if you want to prevent the latter two).
Similarly,
RW refs/foo = user1
allows
refs/foo
refs/foobar
refs/foo/bar
Now, I don't see this as a "security risk" but the fact is that this
allows someone to clutter your repo with junk like
refs/bar/refs/heads/foo
refs/heads/bar/refs/heads/foo
(or, with the second config line example,
refs/bar/refs/foo
refs/heads/bar/refs/foo
)
My personal advice is if you find someone doing that intentionally, you
should probably take him out and shoot him [*], but since now *two*
people have complained about this, here goes...
----
[*] you don't have to take him out if you don't want to
This commit is contained in:
Sitaram Chamarty
parent
6c38e30e9a
commit
a9824464e5
|
|
@ -100,7 +100,7 @@ sub check_ref {
|
|||
for my $ar (@allowed_refs) {
|
||||
$refex = (keys %$ar)[0];
|
||||
# refex? sure -- a regex to match a ref against :)
|
||||
next unless $ref =~ /$refex/;
|
||||
next unless $ref =~ /^$refex/;
|
||||
die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
|
||||
|
||||
# as far as *this* ref is concerned we're ok
|
||||
|
|
|
|||
Loading…
Reference in a new issue