deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

rsync: restrict the "path" part of the received command

Browse source 
Although I have washed my hands off the security aspect if you use
external commands, that doesn't mean I won't make them as tight as I can
;-)  Right now, this is just a place holder -- if people use it and
complain that the pattern is too restrictive, I'll change it.
This commit is contained in:
Sitaram Chamarty 2010-02-06 05:43:16 +05:30
parent 388f4d873d
commit b299ff09c3
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/gitolite.pm
View file

@ -411,6 +411,8 @@ sub ext_cmd_rsync
my $perm = "W"; my $perm = "W";
$perm = "R" if $1; $perm = "R" if $1;
my $path = $2; my $path = $2;
die "I dont like some of the characters in $path\n" unless $path =~ $REPOPATT_PATT;
# XXX make a better pattern for this if people complain ;-)
die "I dont like absolute paths in $cmd\n" if $path =~ /^\//; die "I dont like absolute paths in $cmd\n" if $path =~ /^\//;
die "I dont like '..' paths in $cmd\n" if $path =~ /\.\./; die "I dont like '..' paths in $cmd\n" if $path =~ /\.\./;