You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by se...@apache.org on 2020/10/03 16:12:39 UTC
[whimsy] branch master updated: Revert
9187b9a00b4c899700502a920cfbd0bad0ece79d
This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new b75dc0e Revert 9187b9a00b4c899700502a920cfbd0bad0ece79d
b75dc0e is described below
commit b75dc0ec4a1001ed8718a0360380ccdda996286d
Author: Sebb <se...@apache.org>
AuthorDate: Sat Oct 3 17:12:30 2020 +0100
Revert 9187b9a00b4c899700502a920cfbd0bad0ece79d
---
lib/whimsy/asf/svn.rb | 60 ++++++++++++++++++++++++++-------------------------
1 file changed, 31 insertions(+), 29 deletions(-)
diff --git a/lib/whimsy/asf/svn.rb b/lib/whimsy/asf/svn.rb
index 151e0b4..e0824e0 100644
--- a/lib/whimsy/asf/svn.rb
+++ b/lib/whimsy/asf/svn.rb
@@ -22,13 +22,14 @@ module ASF
else
svn_base = 'https://svn.apache.org/repos/'
end
- @base = URI.parse(svn_base)
+ @base = URI.parse(svn_base).untaint
@mock = 'file:///var/tools/svnrep/'
@semaphore = Mutex.new
@testdata = {}
# path to <tt>repository.yml</tt> in the source.
- REPOSITORY = File.expand_path('../../../../repository.yml', __FILE__)
+ REPOSITORY = File.expand_path('../../../../repository.yml', __FILE__).
+ untaint
@@repository_mtime = nil
@@repository_entries = nil
@svnHasPasswordFromStdin = nil
@@ -37,7 +38,7 @@ module ASF
# subversion paths; values are file paths.
def self.repos
@semaphore.synchronize do
- svn = Array(ASF::Config.get(:svn))
+ svn = Array(ASF::Config.get(:svn)).map {|dir| dir.untaint}
# reload if repository changes
if File.exist?(REPOSITORY) && @@repository_mtime!=File.mtime(REPOSITORY)
@@ -59,7 +60,7 @@ module ASF
end
@repos = Hash[Dir[*svn].map { |name|
- if Dir.exist? name
+ if Dir.exist? name.untaint
out, _ = self.getInfoItem(name, 'url')
if out
[out.sub(/^http:/,'https:'), name]
@@ -75,7 +76,7 @@ module ASF
# set a local directory corresponding to a path in Subversion. Useful
# as a test data override.
def self.[]=(name, path)
- @testdata[name] = File.expand_path(path)
+ @testdata[name] = File.expand_path(path).untaint
end
# find a local directory corresponding to a path in Subversion. Throws
@@ -136,7 +137,7 @@ module ASF
unless url # bad entry
raise Exception.new("Unable to find url attribute for SVN entry #{name}")
end
- return (@base+url).to_s
+ return (@base+url).to_s.untaint # to_s makes the var tainted
end
# fetch a repository URL by name - abort if not found
@@ -178,7 +179,7 @@ module ASF
# recursively try parent directory
if not result and name.include? '/'
- base = File.basename(name)
+ base = File.basename(name).untaint
parent = find(File.dirname(name))
if parent and File.exist?(File.join(parent, base))
result = File.join(parent, base)
@@ -544,13 +545,13 @@ module ASF
# user and password are required because the default URL is private
def self.updateCI(msg, env, options={})
# Allow override for testing
- ciURL = options[:url] || self.svnurl('board')
+ ciURL = options[:url] || self.svnurl('board').untaint
Dir.mktmpdir do |tmpdir|
# use dup to make testing easier
- user = env.user
- pass = env.password
+ user = env.user.dup.untaint
+ pass = env.password.dup.untaint
# checkout committers/board (this does not have many files currently)
- out, err = self.svn('checkout', [ciURL, tmpdir],
+ out, err = self.svn('checkout', [ciURL, tmpdir.untaint],
{quiet: true, depth: 'files',
user: user, password: pass})
@@ -566,7 +567,7 @@ module ASF
File.write(file, info)
# commit the updated file
- out, err = self.svn('commit', [file, tmpdir],
+ out, err = self.svn('commit', [file, tmpdir.untaint],
{quiet: true, msg: msg,
user: user, password: pass})
@@ -591,10 +592,6 @@ module ASF
# :dryrun - show command (excluding credentials), without executing it
# :diff - show diff before committing
def self.update(path, msg, env, _, options={})
- # must be a valid local path
- unless path.start_with? '/' and not path.include? '..' and File.exist?(path)
- raise ArgumentError, "Invalid path #{path}"
- end
if File.directory? path
dir = path
basename = nil
@@ -603,6 +600,11 @@ module ASF
basename = File.basename(path)
end
+ if path.start_with? '/' and not path.include? '..' and File.exist?(path)
+ dir.untaint
+ basename.untaint
+ end
+
rc = 0
Dir.mktmpdir do |tmpdir|
@@ -612,7 +614,7 @@ module ASF
# retrieve the file to be updated (may not exist)
if basename
- tmpfile = File.join(tmpdir, basename)
+ tmpfile = File.join(tmpdir, basename).untaint
self.svn_('update', tmpfile, _, {env: env})
else
tmpfile = nil
@@ -655,7 +657,7 @@ module ASF
# commit the changes
rc = self.svn_('commit', tmpfile || tmpdir, _,
- {msg: msg, env: env})
+ {msg: msg.untaint, env: env})
# fail if there are pending changes
out, _err = self.svn('status', tmpfile || tmpdir) # Need to use svn rather than svn_ here
@@ -700,7 +702,7 @@ module ASF
end
temp = options[:tmpdir]
- tmpdir = temp ? temp : Dir.mktmpdir
+ tmpdir = temp ? temp : Dir.mktmpdir.untaint
begin
cmdfile = Tempfile.new('svnmucc_input', tmpdir)
@@ -717,7 +719,7 @@ module ASF
syscmd = ['svnmucc',
'--non-interactive',
- '--extra-args', cmdfile.path,
+ '--extra-args', cmdfile.path.untaint,
'--message', msg,
'--no-auth-cache',
]
@@ -753,7 +755,7 @@ module ASF
end
end
ensure
- File.delete cmdfile.path # always drop the command file
+ File.delete cmdfile.path.untaint # always drop the command file
FileUtils.rm_rf tmpdir unless temp
end
end
@@ -846,24 +848,24 @@ module ASF
# [out, extra]
# end
def self.multiUpdate_(path, msg, env, _, options = {})
- tmpdir = options[:tmpdir] || Dir.mktmpdir
+ tmpdir = options[:tmpdir] || Dir.mktmpdir.untaint
if File.file? path
- basename = File.basename(path)
- parentdir = File.dirname(path)
+ basename = File.basename(path).untaint
+ parentdir = File.dirname(path).untaint
parenturl = ASF::SVN.getInfoItem(parentdir,'url')
else
uri = URI.parse(path)
# allow file: and svn URIs for local testing
if %w(http https file svn).include? uri.scheme
- basename = File.basename(uri.path)
- parentdir = File.dirname(uri.path)
+ basename = File.basename(uri.path).untaint
+ parentdir = File.dirname(uri.path).untaint
uri.path = parentdir
parenturl = uri.to_s
else
raise ArgumentError.new("Path '#{path}' must be a file or URL")
end
end
- outputfile = File.join(tmpdir, basename)
+ outputfile = File.join(tmpdir, basename).untaint
begin
@@ -1041,8 +1043,8 @@ module ASF
# [listing-name, temporary name]
def self.listingNames(name)
dir = self.svn_parent
- return File.join(dir,"%s.txt" % name),
- File.join(dir,"%s.tmp" % name)
+ return File.join(dir,"%s.txt" % name).untaint,
+ File.join(dir,"%s.tmp" % name).untaint
end
# Get all the SVN entries