diff options
| -rw-r--r-- | IkiWiki/Receive.pm | 26 | ||||
| -rw-r--r-- | IkiWiki/Wrapper.pm | 13 | ||||
| -rwxr-xr-x | ikiwiki.in | 5 |
3 files changed, 34 insertions, 10 deletions
diff --git a/IkiWiki/Receive.pm b/IkiWiki/Receive.pm index 451a3fe8e..72668d26a 100644 --- a/IkiWiki/Receive.pm +++ b/IkiWiki/Receive.pm @@ -7,7 +7,6 @@ use strict; use IkiWiki; sub getuser () { #{{{ - # CALLER_UID is set by the suid wrapper, to the original uid my $user=(getpwuid(exists $ENV{CALLER_UID} ? $ENV{CALLER_UID} : $<))[0]; if (! defined $user) { error("cannot determine username for $<"); @@ -21,6 +20,31 @@ sub trusted () { #{{{ ! grep { $_ eq $user } @{$config{untrusted_committers}}; } #}}} +sub gen_wrapper () { #{{{ + # Test for commits from untrusted committers in the wrapper, to + # avoid loading ikiwiki at all for trusted commits. + + my $ret=<<"EOF"; + { + int u=getuid(); +EOF + $ret.="\t\tif ( ". + join("&&", map { + my $uid=getpwnam($_); + if (! defined $uid) { + error(sprintf(gettext("cannot determine id of untrusted committer %s"), $_)); + } + "u != $uid"; + } @{$config{untrusted_committers}}). + ") exit(0);\n"; + $ret.=<<"EOF"; + asprintf(&s, "CALLER_UID=%i", u); + newenviron[i++]=s; + } +EOF + return $ret; +} #}}} + sub test () { #{{{ exit 0 if trusted(); diff --git a/IkiWiki/Wrapper.pm b/IkiWiki/Wrapper.pm index 0a2b8d4f8..fd8a0e5b0 100644 --- a/IkiWiki/Wrapper.pm +++ b/IkiWiki/Wrapper.pm @@ -36,7 +36,13 @@ sub gen_wrapper () { #{{{ addenv("$var", s); EOF } - + + my $test_receive=""; + if ($config{test_receive}) { + require IkiWiki::Receive; + $test_receive=IkiWiki::Receive::gen_wrapper(); + } + $Data::Dumper::Indent=0; # no newlines my $configstring=Data::Dumper->Dump([\%config], ['*config']); $configstring=~s/\\/\\\\/g; @@ -67,13 +73,12 @@ addenv(char *var, char *val) { } int main (int argc, char **argv) { - /* Sanitize environment. */ char *s; + +$test_receive $envsave newenviron[i++]="HOME=$ENV{HOME}"; newenviron[i++]="WRAPPED_OPTIONS=$configstring"; - asprintf(&s, "CALLER_UID=%i", getuid()); - newenviron[i++]=s; newenviron[i]=NULL; environ=newenviron; diff --git a/ikiwiki.in b/ikiwiki.in index d601d2739..f2407b8d0 100755 --- a/ikiwiki.in +++ b/ikiwiki.in @@ -123,11 +123,6 @@ sub getconfig () { #{{{ # optimisation for no-op post_commit exit 0; } - elsif ($config{test_receive}) { - # quick success if the user is trusted - require IkiWiki::Receive; - exit 0 if IkiWiki::Receive::trusted(); - } loadplugins(); checkconfig(); |