On Tue, 23 Jun 2015 at 12:26:35, Johannes Löthberg wrote:
Also add an utility function for formatting the ForceCommand, using shlex.quote to quote the value.
Manually replacing '\"' with '\\"' is required under OpenSSH due to it replacing `\"` with `"`, which breaks any command part that contains a double quote character.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> --- git-interface/git-auth.py | 24 ++++++++++++++++++++++-- git-interface/git-serve.py | 2 +- 2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/git-interface/git-auth.py b/git-interface/git-auth.py index c9e1f01..f355332 100755 --- a/git-interface/git-auth.py +++ b/git-interface/git-auth.py @@ -2,10 +2,26 @@
import configparser import mysql.connector +import shlex import os import re import sys
+ +def format_command(env_vars, command, ssh_opts, key): + environment = '' + for key, var in env_vars.items():
You overwrite the key parameter passed to format_command() here. Maybe rename the function parameter to ssh_key?
+ environment += '{}={} && '.format(key, shlex.quote(var))
As mentioned before and discussed on IRC, we should not (and cannot) use a &&-chain here.
+ + command = shlex.quote(command) + command = '{}{}'.format(environment, command) + + # OpenSSH replaces '\"' with '"', so manually escape slash
"manually escape slash" isn't true and I think the comment doesn't justify why this is needed... Maybe something along the lines of The command is being substituted into an authorized_keys line below, so we need to escape double quotes. Opinions? The patch looks fine otherwise!
+ command = command.replace('"', '\\"') + msg = 'command="{}",{} {}'.format(command, ssh_opts, key) + return msg + + [...]