Permalink
Browse files

MAJOR BUGFIX: disallow "hooks" directory in admin repo

Although this is not a "hole" that allows a normal user to bypass
controls, I still consider this a hole in the sense that I want to
separate "admin push" rights from "shell access on server" rights.

(I realise that most people don't make this distinction, but I do, and
for me and most sites I consult for it is important).

Thanks to drue on #gitolite who pointed it out excitedly, and apologies
for killing what he thought of as a feature!
  • Loading branch information...
sitaramc committed May 22, 2012
1 parent dd08308 commit 5298a79cb503c9034de5e2dbc88ed0c9b72a566f
Showing with 1 addition and 1 deletion.
  1. +1 −1 src/lib/Gitolite/Hooks/PostUpdate.pm
@@ -23,7 +23,7 @@ sub post_update {
# this is the *real* post_update hook for gitolite
tsh_try("git ls-tree --name-only master");
_die "no files/dirs called 'hooks' or 'logs' are allowed" if tsh_text() =~ /^(hooks|logs)$/;
_die "no files/dirs called 'hooks' or 'logs' are allowed" if tsh_text() =~ /^(hooks|logs)$/m;
{
local $ENV{GIT_WORK_TREE} = $rc{GL_ADMIN_BASE};

0 comments on commit 5298a79

Please sign in to comment.