| blob | c3c5b1bc6fbcc99a19d4422954fb403c4320ce1d |
1 #!/bin/sh
2 #
3 # Abort any push early if the pushing user doesn't have any push permissions
4 # at all. This avoids unnecessary traffic and unpacked object pollution.
5 #
6 # Set GIT_HTTP_BACKEND_BIN to change the default http-backend binary from
7 # the default of Config.pm $git_http_backend_bin (which itself has a default
8 # of "/usr/lib/git-core/git-http-backend")
9 #
10 # Note that GIT_PROJECT_ROOT must be set to use this script.
11 #
12 # Also prevents standard error output from git-http-backend cluttering up the
13 # server's log unless GIT_HTTP_BACKEND_SHOW_ERRORS is set to a non-empty value.
15 set -e
17 . @basedir@/shlib.sh
19 unset GIT_USER_AGENT
22 export GIT_USER_AGENT
23 fi
29 # This script is called for both fetch and push.
30 # Only the following conditions trigger a push permissions check:
31 #
32 # 1. REQUEST_METHOD=GET
33 # and PATH_INFO ends with "/info/refs"
34 # and QUERY_STRING has "service=git-receive-pack"
35 #
36 # 2. REQUEST_METHOD=POST
37 # and PATH_INFO ends with "/git-receive-pack"
38 #
39 # Note that there is no check for PATH_INFO being under a certain root as
40 # it's presumed that GIT_PROJECT_ROOT has been set and so all PATH_INFO
41 # values are effectively forced under the desired root.
42 #
43 # The REQUEST_METHOD is validated. For smart HTTP requests only the project
44 # name is extracted and validated and the corresponding project directory must
45 # exist under $cfg_reporoot. Non-smart HTTP fetch requests (GET or HEAD) are
46 # passed on unchanged and unchecked.
48 errorhdrs()
49 {
57 }
59 msglines()
60 {
63 shift
64 done
65 }
67 internalerr()
68 {
71 msglines "Internal Server Error"
73 else
74 msglines "$@"
77 shift
78 done
79 fi
81 }
83 methodnotallowed()
84 {
87 msglines "Method Not Allowed"
88 else
89 msglines "$@"
90 fi
92 }
94 forbidden()
95 {
96 errorhdrs 403 Forbidden
98 msglines "Forbidden"
99 else
100 msglines "$@"
101 fi
103 }
105 needsauth()
106 {
109 msglines "Authorization Required"
110 else
111 msglines "$@"
112 fi
114 }
118 proj=
119 smart=
120 suffix=
121 needsauthcheck=
124 # We do not currently validate non-smart GET/HEAD requests.
125 # There are only 8 possible suffix values that need to be allowed for
126 # non-smart HTTP GET/HEAD fetches (see http-backend.c):
127 # /HEAD
128 # /info/refs
129 # /objects/info/alternates
130 # /objects/info/http-alternates
131 # /objects/info/packs
132 # /objects/[0-9a-f]{2}/[0-9a-f]{38}
133 # /objects/pack/pack-[0-9a-f]{40}.idx
134 # /objects/pack/pack-[0-9a-f]{40}.pack
142 ;;
147 ;;
148 esac
149 esac
156 suffix=git-receive-pack
157 ;;
161 suffix=git-upload-pack
162 ;;
163 *)
164 forbidden
166 ;;
167 esac
168 else
169 methodnotallowed
171 fi
174 # add a missing trailing .git
177 *)
179 esac
184 # Valid project names never end in .git (we add that automagically), so a valid
185 # fork can never have .git at the end of any path component except the last.
186 # We check this to avoid a situation where a certain collection of pushed refs
187 # could be mistaken for a GIT_DIR. Git would ultimately complain, but some
188 # undesirable things could happen along the way.
190 # Remove the leading $reporoot and trailing .git to get a test string
194 forbidden
196 esac
199 forbidden
201 fi
202 fi
207 else
209 fi
212 fi
219 fi
227 needsauth "Only authenticated users may push, sorry"
229 fi
231 if ! useruuid="$("$cfg_basedir/bin/get_user_uuid" "$authuser")" || [ "$useruuid" != "$authuuid" ]; then
235 fi
236 fi
239 # If mob is enabled and mob has push permissions and
240 # the current user is not the mob then it's a personal mob push
241 # presuming the special mob directory has been set up
244 (
248 )
252 else
254 fi
257 fi
261 fi
263 (
267 )
270 else
272 fi