Mercurial > kallithea
changeset 2090:2632a49cb402 beta
fixes issue #372
- improved detection of git operation, that caused to return bad data and created a security bug
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Fri, 02 Mar 2012 21:53:19 +0200 |
parents | a9f2aa1e15e6 |
children | 6a97bbdded09 |
files | rhodecode/lib/middleware/simplegit.py |
diffstat | 1 files changed, 12 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/lib/middleware/simplegit.py Fri Mar 02 20:20:42 2012 +0200 +++ b/rhodecode/lib/middleware/simplegit.py Fri Mar 02 21:53:19 2012 +0200 @@ -121,6 +121,7 @@ #====================================================================== # CHECK ANONYMOUS PERMISSION #====================================================================== + if action in ['pull', 'push']: anonymous_user = self.__get_user('default') username = anonymous_user.username @@ -169,15 +170,13 @@ start_response) #check permissions for this repository - perm = self._check_permission(action, user, - repo_name) + perm = self._check_permission(action, user, repo_name) if perm is not True: return HTTPForbidden()(environ, start_response) #=================================================================== # GIT REQUEST HANDLING #=================================================================== - repo_path = safe_str(os.path.join(self.basepath, repo_name)) log.debug('Repository path is %s' % repo_path) @@ -203,7 +202,6 @@ :param repo_name: name of the repository :param repo_path: full path to the repository """ - _d = {'/' + repo_name: Repo(repo_path)} backend = dulserver.DictBackend(_d) gitserve = HTTPGitApplication(backend) @@ -229,19 +227,24 @@ return User.get_by_username(username) def __get_action(self, environ): - """Maps git request commands into a pull or push command. + """ + Maps git request commands into a pull or push command. :param environ: """ service = environ['QUERY_STRING'].split('=') + if len(service) > 1: service_cmd = service[1] mapping = { 'git-receive-pack': 'push', 'git-upload-pack': 'pull', } - - return mapping.get(service_cmd, - service_cmd if service_cmd else 'other') + op = mapping[service_cmd] + self._git_stored_op = op + return op else: - return 'other' + # try to fallback to stored variable as we don't know if the last + # operation is pull/push + op = getattr(self, '_git_stored_op', 'pull') + return op