Skip to content

Commit 4ce00ae

Browse files
committed
security fix for optional ADC (admin-defined command) feature
Thanks to Dylan Simon for catching it...
1 parent 9b5793f commit 4ce00ae

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

Diff for: src/gl-auth-command

+1
Original file line numberDiff line numberDiff line change
@@ -154,6 +154,7 @@ die "server is in slave mode; you can only fetch\n"
154154
if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
155155
my ($cmd, @args) = split ' ', $ENV{SSH_ORIGINAL_COMMAND};
156156
if (-x "$GL_ADC_PATH/$cmd") {
157+
die "I don't like $cmd\n" if $cmd =~ /\.\./;
157158
# yes this is rather strict, sorry.
158159
do { die "I don't like $_\n" unless $_ =~ $ADC_CMD_ARGS_PATT } for ($cmd, @args);
159160
&log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");

0 commit comments

Comments
 (0)