Commit Graph

29 Commits (f15b0a03b52b6b6829d37603874411e52746910c)

Author SHA1 Message Date
Simon McVittie cf7df018cc IkiWiki::Receive: Avoid using asprintf
On GNU/Linux, it isn't declared in stdio.h unless we define
_GNU_SOURCE, which we don't; using the implicit declaration risks
crashes on platforms where sizeof(pointer) != sizeof(int). On other
platforms it isn't guaranteed to exist at all.

Signed-off-by: Simon McVittie <smcv@debian.org>
2017-10-01 13:21:56 +01:00
Simon McVittie 5f6f9a1bea Wrapper: allocate new environment dynamically
Otherwise, if third-party plugins extend newenviron by more than
3 entries, we could overflow the array. It seems unlikely that any
third-party plugin manipulates newenviron in practice, so this
is mostly theoretical. Just in case, I have deliberately avoided
using "i" as the variable name, so that any third-party plugin
that was manipulating newenviron directly will now result in the
wrapper failing to compile.

I have not assumed that realloc(NULL, ...) works as an equivalent of
malloc(...), in case there are still operating systems where that
doesn't work.
2016-05-11 09:18:14 +01:00
Joey Hess aa226bbb6b Consume all stdin when rcs_receive short-circuits, to avoid git SIPIPE race.
We had a weird problem where, after moving to a new, faster server,
"git push" would sometimes fail like this:

Unpacking objects: 100% (3/3), done.
fatal: The remote end hung up unexpectedly
fatal: The remote end hung up unexpectedly

What turned out to be going on was that git-receive-pack was dying due
to an uncaught SIGPIPE. The SIGPIPE occurred when it tried to write to
the pre-receive hook's stdin. The pre-receive hook, in this case, was
able to do all the checks it needed to do without the input, and so did
exit(0) without consuming it.

Apparently that causes a race. Most of the time, git forks the hook,
writes output to the hook, and then the hook runs, ignores it, and exits.
But sometimes, on our new faster server, git forked the hook, and it
ran, and exited, before git got around to writing to it, resulting in
the SIGPIPE.

write(7, "c9f98c67d70a1cfeba382ec27d87644a"..., 100) = -1 EPIPE (Broken
pipe)
--- SIGPIPE (Broken pipe) @ 0 (0) ---

I think git should ignore SIGPIPE when writing to hooks. Otherwise,
hooks may have to go out of their way to consume all input, and as I've
seen, the races when they fail to do this can lurk undiscovered.

I have written to the git mailing list about this.

As a workaround, consume all stdin before exiting.
2011-12-05 15:17:01 -04:00
Joey Hess 1c5a3f2c67 Fix typo that broke anonymous git push. 2010-10-23 15:25:29 -04:00
Joey Hess faf94b5787 refactor check_canchange into IkiWiki library 2010-10-08 18:09:28 -04:00
Joey Hess fe582418d2 remove debugging dumper code 2010-10-04 16:56:21 -04:00
Joey Hess 3dce3cc1be indentation and layout 2010-10-04 16:56:04 -04:00
Peter Gammie 8024a2636f Complete rcs_preprevert and lightly test. 2010-10-01 14:06:00 +10:00
Joey Hess 2df0999e40 revert check_canedit nosubs thing
Abstraction violation. I now think the problem should be treated as a bug
in httpauth.
2010-08-30 18:31:56 -04:00
Joey Hess 70db57134a correct logic on error fallthrough 2010-08-30 18:20:34 -04:00
Joey Hess 8030ecac02 Receive: avoid hiding check_canedit error messages
Avoid the generic "you are not allowed to change" message,
and instead allow check_canedit to propigate out useful error messages.

Went back to calling check_canedit in fatal mode, but added a parameter to
avoid calling the troublesome subs that might cause a login attempt.
2010-08-30 17:58:00 -04:00
Joey Hess 426b3ad747 minor typo 2010-08-30 16:26:01 -04:00
Joey Hess 3b84ea2f53 add explicit check_canedit calls when checking canattach or canremove 2010-08-30 16:17:33 -04:00
Joey Hess a330b1ee74 Avoid trying to log the user in when receiving anonymous pushes from git and a plugin like httpauth returns a login function.
Just use check_canedit in nonfatal mode.
2010-08-30 16:05:15 -04:00
Joey Hess 69fc0f427e remove obsolete check to see if check_canedit is available
The function moved from the editpage plugin into IkiWiki core some time
ago.
2010-08-30 15:44:55 -04:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess a97964688b unfinished file_prune revamp
Many calls to file_prune were incorrectly calling it with 2 parameters.
In cases where the filename being checked is relative to the srcdir,
that is not needed.

Made absolute filenames be pruned. (This won't work for the 2 parameter call
style.)
2010-04-17 19:05:40 -04:00
Joey Hess 93cd30bc0a Merge branch 'master' into cvs 2009-09-10 16:18:23 -04:00
Joey Hess 26dae8f049 clean up use of IkiWiki::Receive
Loading and use of IkiWiki::Receive can all be pushed into the git plugin,
rather than scattered around.

I had at first wanted to make a receive plugin and move it there,
but a plugin was not a good fit; you don't want users to have to manually
load it, and making the git plugin load the receive plugin at the right
times would need more, and ugly code.
2009-09-10 16:15:48 -04:00
Joey Hess f5bd1cf3cd typo 2009-09-10 13:49:42 -04:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess 7ddea03684 move untrusted committer test into the wrapper
This saves around 1/4th second per trusted commit since ikiwiki
doesn't need to start up.
2008-10-26 14:03:18 -04:00
Joey Hess 146192d5b0 the pre-receive wrapper needs to be suid after all
It needs to write to the user db.
2008-10-24 15:47:42 -04:00
Joey Hess 739e2ca0b4 can't lock wiki due to permissions (probably)
luckily, don't really need to here
2008-10-24 15:02:54 -04:00
Joey Hess 1a883b3c50 include temp file for attachment change too 2008-10-24 13:44:03 -04:00
Joey Hess fbcb8553df really fix calls to check_can* 2008-10-24 13:29:30 -04:00
Joey Hess f349e4ef36 fix calls to check_*
These throw errors, do not have useful return codes.
2008-10-23 18:05:12 -04:00
Joey Hess ad9e443f22 check_canattach hooked up 2008-10-23 16:56:40 -04:00
Joey Hess 4669eab596 more work on untrusted committers
Wired up check_canedit and check_canremove, still need to deal with
check_canattach, and test.
2008-10-23 16:29:50 -04:00