Mercurial > kallithea

diff rhodecode/lib/middleware/simplegit.py @ 2090:2632a49cb402 beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fixes issue #372 - improved detection of git operation, that caused to return bad data and created a security bug
author Marcin Kuzminski <marcin@python-works.com>
date Fri, 02 Mar 2012 21:53:19 +0200
parents 9f0fe6777833
children ecd59c28f432 f0649c7cf94a
line wrap: on
line diff
--- a/rhodecode/lib/middleware/simplegit.py	Fri Mar 02 20:20:42 2012 +0200
+++ b/rhodecode/lib/middleware/simplegit.py	Fri Mar 02 21:53:19 2012 +0200
@@ -121,6 +121,7 @@
         #======================================================================
         # CHECK ANONYMOUS PERMISSION
         #======================================================================
+
         if action in ['pull', 'push']:
             anonymous_user = self.__get_user('default')
             username = anonymous_user.username
@@ -169,15 +170,13 @@
                                                          start_response)
 
                     #check permissions for this repository
-                    perm = self._check_permission(action, user,
-                                                   repo_name)
+                    perm = self._check_permission(action, user, repo_name)
                     if perm is not True:
                         return HTTPForbidden()(environ, start_response)
 
         #===================================================================
         # GIT REQUEST HANDLING
         #===================================================================
-
         repo_path = safe_str(os.path.join(self.basepath, repo_name))
         log.debug('Repository path is %s' % repo_path)
 
@@ -203,7 +202,6 @@
         :param repo_name: name of the repository
         :param repo_path: full path to the repository
         """
-
         _d = {'/' + repo_name: Repo(repo_path)}
         backend = dulserver.DictBackend(_d)
         gitserve = HTTPGitApplication(backend)
@@ -229,19 +227,24 @@
         return User.get_by_username(username)
 
     def __get_action(self, environ):
-        """Maps git request commands into a pull or push command.
+        """
+        Maps git request commands into a pull or push command.
 
         :param environ:
         """
         service = environ['QUERY_STRING'].split('=')
+
         if len(service) > 1:
             service_cmd = service[1]
             mapping = {
                 'git-receive-pack': 'push',
                 'git-upload-pack': 'pull',
             }
-
-            return mapping.get(service_cmd,
-                               service_cmd if service_cmd else 'other')
+            op = mapping[service_cmd]
+            self._git_stored_op = op
+            return op
         else:
-            return 'other'
+            # try to fallback to stored variable as we don't know if the last
+            # operation is pull/push
+            op = getattr(self, '_git_stored_op', 'pull')
+        return op