[PATCH] git-serve: check update hook permissions
Lukas Fleischer
lfleischer at archlinux.org
Sat Nov 23 16:18:32 UTC 2019
Verify that the update hook exists and is executable before running Git
to prevent from broken repositories when permissions are broken.
Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
aurweb/exceptions.py | 6 ++++++
aurweb/git/serve.py | 3 +++
2 files changed, 9 insertions(+)
diff --git a/aurweb/exceptions.py b/aurweb/exceptions.py
index 664db68..6201528 100644
--- a/aurweb/exceptions.py
+++ b/aurweb/exceptions.py
@@ -16,6 +16,12 @@ class PermissionDeniedException(AurwebException):
super(PermissionDeniedException, self).__init__(msg)
+class BrokenUpdateHookException(AurwebException):
+ def __init__(self, cmd):
+ msg = 'broken update hook: {:s}'.format(cmd)
+ super(BrokenUpdateHookException, self).__init__(msg)
+
+
class InvalidUserException(AurwebException):
def __init__(self, user):
msg = 'unknown user: {:s}'.format(user)
diff --git a/aurweb/git/serve.py b/aurweb/git/serve.py
index 2882780..d43523c 100755
--- a/aurweb/git/serve.py
+++ b/aurweb/git/serve.py
@@ -496,6 +496,9 @@ def serve(action, cmdargv, user, privileged, remote_addr):
if not privileged and not pkgbase_has_write_access(pkgbase, user):
raise aurweb.exceptions.PermissionDeniedException(user)
+ if not os.access(git_update_cmd, os.R_OK | os.X_OK):
+ raise aurweb.exceptions.BrokenUpdateHookException(git_update_cmd)
+
os.environ["AUR_USER"] = user
os.environ["AUR_PKGBASE"] = pkgbase
os.environ["GIT_NAMESPACE"] = pkgbase
--
2.24.0
More information about the aur-dev
mailing list