diff options
| author | Lukas Fleischer <lfleischer@archlinux.org> | 2019-11-23 17:13:36 +0100 |
|---|---|---|
| committer | Lukas Fleischer <lfleischer@archlinux.org> | 2019-11-23 17:18:16 +0100 |
| commit | 771ced3236a9200956ca722650e99e94d7f6450a (patch) | |
| tree | ef231ab84fa778ee5c7238bb8ae4f2a2ffe01ddc | |
| parent | 86e4cd0731b7164a8947fa3497483378aa1de209 (diff) | |
| download | aur-771ced3236a9200956ca722650e99e94d7f6450a.tar.gz aur-771ced3236a9200956ca722650e99e94d7f6450a.tar.xz | |
git-serve: check update hook permissions
Verify that the update hook exists and is executable before running Git
to prevent from broken repositories when permissions are broken.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
| -rw-r--r-- | aurweb/exceptions.py | 6 | ||||
| -rwxr-xr-x | aurweb/git/serve.py | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/aurweb/exceptions.py b/aurweb/exceptions.py index 664db68c..62015284 100644 --- a/aurweb/exceptions.py +++ b/aurweb/exceptions.py @@ -16,6 +16,12 @@ class PermissionDeniedException(AurwebException): super(PermissionDeniedException, self).__init__(msg) +class BrokenUpdateHookException(AurwebException): + def __init__(self, cmd): + msg = 'broken update hook: {:s}'.format(cmd) + super(BrokenUpdateHookException, self).__init__(msg) + + class InvalidUserException(AurwebException): def __init__(self, user): msg = 'unknown user: {:s}'.format(user) diff --git a/aurweb/git/serve.py b/aurweb/git/serve.py index 28827804..d43523c2 100755 --- a/aurweb/git/serve.py +++ b/aurweb/git/serve.py @@ -496,6 +496,9 @@ def serve(action, cmdargv, user, privileged, remote_addr): if not privileged and not pkgbase_has_write_access(pkgbase, user): raise aurweb.exceptions.PermissionDeniedException(user) + if not os.access(git_update_cmd, os.R_OK | os.X_OK): + raise aurweb.exceptions.BrokenUpdateHookException(git_update_cmd) + os.environ["AUR_USER"] = user os.environ["AUR_PKGBASE"] = pkgbase os.environ["GIT_NAMESPACE"] = pkgbase |