From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PpjrK-00043s-99 for garchives@archives.gentoo.org; Wed, 16 Feb 2011 16:04:06 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 26E571C016; Wed, 16 Feb 2011 16:03:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id EA83A1C015 for ; Wed, 16 Feb 2011 16:03:58 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 63C3E1B40D8 for ; Wed, 16 Feb 2011 16:03:58 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id B9E818006A for ; Wed, 16 Feb 2011 16:03:57 +0000 (UTC) From: "Christian Ruppert" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Christian Ruppert" Message-ID: <4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc.idl0r@gentoo> Subject: [gentoo-commits] proj/gitolite-gentoo:upstream commit in: src/ X-VCS-Repository: proj/gitolite-gentoo X-VCS-Files: src/gl-auth-command X-VCS-Directories: src/ X-VCS-Committer: idl0r X-VCS-Committer-Name: Christian Ruppert X-VCS-Revision: 4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc Date: Wed, 16 Feb 2011 16:03:57 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 7a38150e9ce8a76d323f0eb18a46d7d5 commit: 4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc Author: Sitaram Chamarty atc tcs com> AuthorDate: Tue Feb 15 09:28:42 2011 +0000 Commit: Christian Ruppert gentoo org> CommitDate: Tue Feb 15 09:28:42 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/gitolite-gent= oo.git;a=3Dcommit;h=3D4ce00aef security fix for optional ADC (admin-defined command) feature Thanks to Dylan Simon for catching it... --- src/gl-auth-command | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/gl-auth-command b/src/gl-auth-command index 1af4232..f3449a5 100755 --- a/src/gl-auth-command +++ b/src/gl-auth-command @@ -154,6 +154,7 @@ die "server is in slave mode; you can only fetch\n" if ($GL_ADC_PATH and -d $GL_ADC_PATH) { my ($cmd, @args) =3D split ' ', $ENV{SSH_ORIGINAL_COMMAND}; if (-x "$GL_ADC_PATH/$cmd") { + die "I don't like $cmd\n" if $cmd =3D~ /\.\./; # yes this is rather strict, sorry. do { die "I don't like $_\n" unless $_ =3D~ $ADC_CMD_ARGS_PATT }= for ($cmd, @args); &log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");