Files
@ a444c46a0649
Branch filter:
Location: kallithea/dev_requirements.txt
a444c46a0649
159 B
text/plain
middleware: fix handling of Git 'info/refs' command to give correct access control
For a pull, the Git client first sends an 'info/refs' command with a
'service=git-upload-pack' query, then it sends the actual 'git-upload-pack'
command.
For a push, the Git client first sends an 'info/refs' command with a
'service=git-receive-pack' query, then it sends the actual 'git-receive-pack'
command.
Before, the 'info/refs' commands would fall back to the default of trying to
use the action of the previous request. That seems wrong.
Instead, authorize the 'info/refs' command just like the actual command it
references.
path_info will now be checked more than before. Mainly because that is more
correct and more explicit and "better" to do it that way. It might also give
some safety.
For a pull, the Git client first sends an 'info/refs' command with a
'service=git-upload-pack' query, then it sends the actual 'git-upload-pack'
command.
For a push, the Git client first sends an 'info/refs' command with a
'service=git-receive-pack' query, then it sends the actual 'git-receive-pack'
command.
Before, the 'info/refs' commands would fall back to the default of trying to
use the action of the previous request. That seems wrong.
Instead, authorize the 'info/refs' command just like the actual command it
references.
path_info will now be checked more than before. Mainly because that is more
correct and more explicit and "better" to do it that way. It might also give
some safety.