On Mon, Oct 22, 2012 at 08:29:17 GMT, Valentin Haenel wrote:
> @@ -554,6 +557,25 @@ static void process_request(void *cbdata)
> return;
> }
>
> + /* Here we do the authorization check.
> + *
> + * TODO figure out if this is the correct place to do the check
> + *
> + */
> + if (ctx->cfg.authz_exec && ctx->repo &&
> + system(fmt("%s %s %s",
Single quote the arguments to the executable. This is ripe for code
execution (remote_user is under attacker's control).
> + ctx->cfg.authz_exec,
> + ctx->repo->name,
> + ctx->env.remote_user)) != 0) {
> + cgit_print_http_headers(ctx);
> + cgit_print_docstart(ctx);
> + cgit_print_pageheader(ctx);
> + cgit_print_error(fmt("Authorization failed for repo: '%s' and
> user: '%s'",
> + ctx->repo->name, ctx->env.remote_user));
> + cgit_print_docend();
> + return;
> + }
> +
> if (ctx->repo && prepare_repo_cmd(ctx))
> return;
>
> diff --git a/cgit.h b/cgit.h
> index 016baa8e7d..14fc2fb777 100644
> --- a/cgit.h
> +++ b/cgit.h
> @@ -167,6 +167,7 @@ struct cgit_query {
> struct cgit_config {
> char *agefile;
> char *user_envvar;
> + char *authz_exec;
Where is this free'd?
-- Ben
_______________________________________________
cgit mailing list
[email protected]
http://hjemli.net/mailman/listinfo/cgit
