Check-in [f79eaca9ca]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Updated to ensure that no non-default SSH command is used for a pull
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: f79eaca9ca2589afa490fe8571af1867242318e1
User & Date: rkeene 2016-11-22 18:22:28.680
Context
2016-11-22
19:29
Updated to log queries that fail and why they fail check-in: e1a97c62e1 user: rkeene tags: trunk
18:22
Updated to ensure that no non-default SSH command is used for a pull check-in: f79eaca9ca user: rkeene tags: trunk
2016-10-03
16:56
Ensure username is properly sanitized check-in: ec1cc1e2e0 user: rkeene tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to nano/fossil.php.
268
269
270
271
272
273
274







275
276
277
278
279
280
281
            if (file_exists($url) || preg_match('/:\/\//', $url) == 0) {
                $outputstr = "Invalid URL";
                return false;
            }
        }

        if (file_exists("{$this->path}{$repo}.fossil")) {







            if ($url == '') {
                exec($this->getFossilCommand(3600) . " pull -R " . escapeshellarg("{$this->path}{$repo}.fossil") . " 2>&1",
                  $output, $return);
            } else {
                exec($this->getFossilCommand(3600) . " pull " . escapeshellarg($url) . " -R " . escapeshellarg("{$this->path}{$repo}.fossil") . " 2>&1",
                  $output, $return);
            }







>
>
>
>
>
>
>







268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
            if (file_exists($url) || preg_match('/:\/\//', $url) == 0) {
                $outputstr = "Invalid URL";
                return false;
            }
        }

        if (file_exists("{$this->path}{$repo}.fossil")) {
            # Ensure that no non-default SSH command can be used for a pull
            exec("timeout 3600 /usr/local/bin/fossil unset ssh-command -R " . escapeshellarg("{$this->path}{$repo}.fossil") . " 2>&1",
              $output, $return);
            if ($return !== 0) {
                return false;
            }

            if ($url == '') {
                exec($this->getFossilCommand(3600) . " pull -R " . escapeshellarg("{$this->path}{$repo}.fossil") . " 2>&1",
                  $output, $return);
            } else {
                exec($this->getFossilCommand(3600) . " pull " . escapeshellarg($url) . " -R " . escapeshellarg("{$this->path}{$repo}.fossil") . " 2>&1",
                  $output, $return);
            }