[PATCH] git-serve: check update hook permissions
Verify that the update hook exists and is executable before running Git to prevent from broken repositories when permissions are broken. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- aurweb/exceptions.py | 6 ++++++ aurweb/git/serve.py | 3 +++ 2 files changed, 9 insertions(+) diff --git a/aurweb/exceptions.py b/aurweb/exceptions.py index 664db68..6201528 100644 --- a/aurweb/exceptions.py +++ b/aurweb/exceptions.py @@ -16,6 +16,12 @@ class PermissionDeniedException(AurwebException): super(PermissionDeniedException, self).__init__(msg) +class BrokenUpdateHookException(AurwebException): + def __init__(self, cmd): + msg = 'broken update hook: {:s}'.format(cmd) + super(BrokenUpdateHookException, self).__init__(msg) + + class InvalidUserException(AurwebException): def __init__(self, user): msg = 'unknown user: {:s}'.format(user) diff --git a/aurweb/git/serve.py b/aurweb/git/serve.py index 2882780..d43523c 100755 --- a/aurweb/git/serve.py +++ b/aurweb/git/serve.py @@ -496,6 +496,9 @@ def serve(action, cmdargv, user, privileged, remote_addr): if not privileged and not pkgbase_has_write_access(pkgbase, user): raise aurweb.exceptions.PermissionDeniedException(user) + if not os.access(git_update_cmd, os.R_OK | os.X_OK): + raise aurweb.exceptions.BrokenUpdateHookException(git_update_cmd) + os.environ["AUR_USER"] = user os.environ["AUR_PKGBASE"] = pkgbase os.environ["GIT_NAMESPACE"] = pkgbase -- 2.24.0
participants (1)
-
Lukas Fleischer