(security) fix bug in pattern to detect path traversal

while we're about it, add the same check to some of the internal routines, so that commands can also be protected. finally, just to make sure we don't lose it again in some other fashion, add a few tests for path traversal...
2012-10-05 07:19:59 +05:30 · 2012-10-05 07:19:59 +05:30 · f636ce3ba3
commit f636ce3ba3
parent 0d371ac957
3 changed files with 33 additions and 3 deletions
--- a/src/lib/Gitolite/Conf/Load.pm
+++ b/src/lib/Gitolite/Conf/Load.pm
@ -67,8 +67,9 @@ my $last_repo = '';

 sub access {
    my ( $repo, $user, $aa, $ref ) = @_;
-    _die "invalid repo '$repo'" if not( $repo and $repo =~ $REPOPATT_PATT );
    _die "invalid user '$user'" if not( $user and $user =~ $USERNAME_PATT );
+    sanity($repo);
+
    my $deny_rules = option( $repo, 'deny-rules' );
    load($repo);

@ -175,8 +176,18 @@ sub option {
    return $ret->{$option};
 }

+sub sanity {
+    my $repo = shift;
+
+    _die "invalid repo '$repo'" if not( $repo and $repo =~ $REPOPATT_PATT );
+    _die "'$repo' ends with a '/'" if $repo =~ m(/$);
+    _die "'$repo' contains '..'" if $repo =~ $REPONAME_PATT and $repo =~ m(\.\.);
+}
+
 sub repo_missing {
    my $repo = shift;
+    sanity($repo);
+
    return not -d "$rc{GL_REPO_BASE}/$repo.git";
 }

@ -400,6 +411,8 @@ sub generic_name {

 sub creator {
    my $repo = shift;
+    sanity($repo);
+
    return ( $ENV{GL_USER} || '' ) if repo_missing($repo);
    my $f       = "$rc{GL_REPO_BASE}/$repo.git/gl-creator";
    my $creator = '';