cpack_repository/commit
SECURITY: Do some sanity checks on the URL from which we clone new packages. Jacco van Ossenbruggen.
author | Jan Wielemaker |
---|---|
Tue Jun 21 12:01:45 2011 +0200 | |
committer | Jan Wielemaker |
Tue Jun 21 12:01:45 2011 +0200 | |
commit | 66da8dd748a375b0b6511154372b97449b75d5e5 |
tree | db168cbc758010fe21552d19b452e4525c8b36fa |
parent | 148d4626f714a4bb0f466913b855cfce9ef3dc5f |
Diff style: patch stat
diff --git a/applications/cpack_submit.pl b/applications/cpack_submit.pl index 0c1de14..2f3f7d6 100644 --- a/applications/cpack_submit.pl +++ b/applications/cpack_submit.pl @@ -71,6 +71,7 @@ cpack_submit_form(_Request) :- [ title('Submit repository to CPACK') ], [ h1('Submit repository to CPACK'), + \explain_submit, form([ action(location_by_id(cpack_submit)) ], table(class(form), @@ -87,6 +88,13 @@ cpack_submit_form(_Request) :- ])) ]). +explain_submit --> + html(p([ 'Please enter a valid GIT URL from which the CPACK manager ', + 'can clone the package. The URL must be a git://, http:// or ', + 'https:// URL. Notably SSH URLs are not allowed.' + ])). + + %% cpack_submit(+Request) % % HTTP API to add a new GIT repository as a pack. This clones the diff --git a/lib/cpack/repository.pl b/lib/cpack/repository.pl index 50b1725..9b36f06 100644 --- a/lib/cpack/repository.pl +++ b/lib/cpack/repository.pl @@ -83,6 +83,7 @@ % Add the given branch rather than the master cpack_add_repository(User, URL, Options) :- + git_check_url(URL), url_package(URL, Package), package_graph(Package, Graph), file_name_extension(Package, git, BareGit), @@ -97,6 +98,28 @@ cpack_add_repository(User, URL, Options) :- [user(User),cloned(URL)|Options]) ). +%% git_check_url(+URL) is det. +% +% Verify that the URL is either git://, http:// or https://. +% Notaby, avoid SSH URLs that would make the ClioPatria server try +% ssh connections that would normally not be allowed. +% +% @error(permission_error(add_repository_from, url, URL) + +git_check_url(URL) :- + uri_components(URL, Components), + uri_data(scheme, Components, Scheme), + safe_scheme(Scheme), !. +git_check_url(URL) :- + permission_error(add_repository_from, + url, + URL). + +safe_scheme(git). +safe_scheme(http). +safe_scheme(https). + + %% cpack_update_package(+User, +Package) is det. % % Update the given package.