Indefero Commit Details

Date:

2011-09-03 12:30:34 (14 years 1 month ago)

Author:

Patrick Georgi

Branch:

feature.webrepos

Commit:

cdb8dbafe22fa3de4cd26c37da01c3b210255150

Parents:

33b22f95ab2ac93e795da463ab64d74c1e5a60fc

Message:

Write-protect git repository over HTTP!

I totally misunderstood the access control mechanism (but it's logical
that it behaves the way it does), and so on git projects with "open"
source access, repos were write-for-all.

This should fix it by enforcing member-or-owner auth for writes.

Signed-off-by: Patrick Georgi <patrick@georgi-clan.de>

Changes:

File differences

-982
983 983
984 984
985 
986 985
986
987
988
989
990
991
992
987 993
988 994
989 995
... ...
1000 1006
1001 1007
1002 1008
1003 
1004 1009
1010
1011
1012
1013
1014
1015
1016
1005 1017
1006 1018
1007 1019
+        if ($path == 'info/refs' && !empty($request->GET['service'])){␊
            $service = $request->GET['service'];␊
            switch ($service) {␊
            case 'git-upload-pack':␊
            case 'git-receive-pack':␊
                if (IDF_Precondition::projectMemberOrOwner($request) !== true) {␊
                    $response = new Pluf_HTTP_Response("");␊
                    $response->status_code = 401;␊
                    $response->headers['WWW-Authenticate']='Basic realm="git for '.$this->project.'"';␊
                    return $response;␊
                }␊
            case 'git-upload-pack':␊
                $content = sprintf('%04x',strlen($service)+15).␊
                         '# service='.$service."\n0000";␊
                $content .= self::shell_exec('IDF_Scm_Git::repository',␊

␊
        switch($path) {␊
        // smart HTTP RPC␊
        case 'git-upload-pack':␊
        case 'git-receive-pack':␊
                if (IDF_Precondition::projectMemberOrOwner($request) !== true) {␊
                    $response = new Pluf_HTTP_Response("");␊
                    $response->status_code = 401;␊
                    $response->headers['WWW-Authenticate']='Basic realm="git for '.$this->project.'"';␊
                    return $response;␊
                }␊
        case 'git-upload-pack':␊
            $response = new Pluf_HTTP_Response_CommandPassThru(␊
                   Pluf::f('idf_exec_cmd_prefix', '').$path.␊
                   ' --stateless-rpc '.$this->repo,␊
 ...
         if ($path == 'info/refs' && !empty($request->GET['service'])){␊
             $service = $request->GET['service'];␊
             switch ($service) {␊
-            case 'git-upload-pack':␊
             case 'git-receive-pack':␊
+                if (IDF_Precondition::projectMemberOrOwner($request) !== true) {␊
+                    $response = new Pluf_HTTP_Response("");␊
+                    $response->status_code = 401;␊
+                    $response->headers['WWW-Authenticate']='Basic realm="git for '.$this->project.'"';␊
+                    return $response;␊
+                }␊
+            case 'git-upload-pack':␊
                 $content = sprintf('%04x',strlen($service)+15).␊
                          '# service='.$service."\n0000";␊
                 $content .= self::shell_exec('IDF_Scm_Git::repository',␊
 ␊
         switch($path) {␊
         // smart HTTP RPC␊
-        case 'git-upload-pack':␊
         case 'git-receive-pack':␊
+                if (IDF_Precondition::projectMemberOrOwner($request) !== true) {␊
+                    $response = new Pluf_HTTP_Response("");␊
+                    $response->status_code = 401;␊
+                    $response->headers['WWW-Authenticate']='Basic realm="git for '.$this->project.'"';␊
+                    return $response;␊
+                }␊
+        case 'git-upload-pack':␊
             $response = new Pluf_HTTP_Response_CommandPassThru(␊
                    Pluf::f('idf_exec_cmd_prefix', '').$path.␊
                    ' --stateless-rpc '.$this->repo,␊

Download the corresponding diff file

Indefero

File differences

Branches

Tags