From 614d4e40e148520ac511cbe0606bcbdcf24c8a08 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Sat, 21 Nov 2009 15:18:02 -0500 Subject: Added restrict_file_access to becommands' execute() args. + associated adjustments in other files. See cmdutil.restrict_file_access.__doc__ for an explanation of the security hole this closes. --- libbe/cmdutil.py | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'libbe/cmdutil.py') diff --git a/libbe/cmdutil.py b/libbe/cmdutil.py index 96430eb..e37750d 100644 --- a/libbe/cmdutil.py +++ b/libbe/cmdutil.py @@ -76,11 +76,12 @@ def get_command(command_name): return cmd -def execute(cmd, args, manipulate_encodings=True): +def execute(cmd, args, manipulate_encodings=True, restrict_file_access=False): enc = encoding.get_encoding() cmd = get_command(cmd) ret = cmd.execute([a.decode(enc) for a in args], - manipulate_encodings=manipulate_encodings) + manipulate_encodings=manipulate_encodings, + restrict_file_access=restrict_file_access) if ret == None: ret = 0 return ret @@ -213,6 +214,22 @@ def underlined(instring): return "%s\n%s" % (instring, "="*len(instring)) +def restrict_file_access(bugdir, path): + """ + Check that the file at path is inside bugdir.root. This is + important if you allow other users to execute becommands with your + username (e.g. if you're running be-handle-mail through your + ~/.procmailrc). If this check wasn't made, a user could e.g. + run + be commit -b ~/.ssh/id_rsa "Hack to expose ssh key" + which would expose your ssh key to anyone who could read the VCS + log. + """ + in_root = bugdir.vcs.path_in_root(path, bugdir.root) + if in_root == False: + raise UserError('file access restricted!\n %s not in %s' + % (path, bugdir.root)) + def parse_id(id): """ Return (bug_id, comment_id) tuple. -- cgit