From fb9829a698647bb31098701a925aded18b87acae Mon Sep 17 00:00:00 2001
From: Konstantin Gribov <grossws@gmail.com>
Date: Wed, 20 Jun 2012 16:31:30 +0400
Subject: [PATCH] Fixed url decoding in http gitolite command bypass.

Only '+' sign was unescaped in `http_simulate_ssh_connection()`.
When user translates `ssh git@host perms <repo> + <role> <user>` to
`curl https://host/git/perms?<repo>+%2b+<role>+<user>` nothing happens.
This commit fixes it modifying url unescaping.

committer notes: changed the regex per 'man URI::Escape'
---
 src/gitolite-shell | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/gitolite-shell b/src/gitolite-shell
index 7a1da03..5d48cc9 100755
--- a/src/gitolite-shell
+++ b/src/gitolite-shell
@@ -212,6 +212,7 @@ sub http_simulate_ssh_connection {
         my ($verb) = ( $ENV{PATH_INFO} =~ m(^/(\S+)) );
         my $args = $ENV{QUERY_STRING};
         $args =~ s/\+/ /g;
+        $args =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
         $ENV{SSH_ORIGINAL_COMMAND} = $verb;
         $ENV{SSH_ORIGINAL_COMMAND} .= " $args" if $args;
         http_print_headers();    # in preparation for the eventual output!