diff options
author | Richard Maw <richard.maw@gmail.com> | 2017-01-08 15:20:26 +0000 |
---|---|---|
committer | Richard Maw <richard.maw@gmail.com> | 2017-01-08 15:20:26 +0000 |
commit | ea755bc141f9dc3c0ccabe6bb6a7ab6e275afc54 (patch) | |
tree | 70ac6036de815f694a8cffcc956d73fd3b1e347d | |
parent | 10a1c4f55737b8abb5da9e7e788a394fde0490cc (diff) | |
download | gitano-ea755bc141f9dc3c0ccabe6bb6a7ab6e275afc54.tar.gz |
testing: Disable variable dump by default
It's a security risk to allow gitano to write to an arbitrary path
based on the value of an environment variable.
It's low risk since by default gitano is run directly by
the http or ssh server, which do not set variables by default,
but it's trivial enough to leave it commented out.
-rw-r--r-- | TESTING | 3 | ||||
-rw-r--r-- | lib/gitano/repository.lua | 2 |
2 files changed, 4 insertions, 1 deletions
@@ -262,7 +262,8 @@ depends on the operation, and in many cases the data in the repository. This makes it difficult to know exactly what variables are available. -To aid with this, if `GITANO_DUMP_VARIABLE_FILE` is set in the environment +To aid with this uncomment the block in `lib/gitano/lace.lua` +and if `GITANO_DUMP_VARIABLE_FILE` is set in the environment it will write a table of variables and the operations they exist in to the file path in `GITANO_DUMP_VARIABLE_FILE`. diff --git a/lib/gitano/repository.lua b/lib/gitano/repository.lua index e48267f..12c0248 100644 --- a/lib/gitano/repository.lua +++ b/lib/gitano/repository.lua @@ -165,6 +165,7 @@ end function repo_method:run_lace(context) self:populate_context(context) config.populate_context(self.config, context) + --[[ Uncomment this to enable variable dumping. local vardump = luxio.getenv("GITANO_DUMP_VARIABLE_FILE") if vardump then local io = require "io" @@ -188,6 +189,7 @@ function repo_method:run_lace(context) fh:write(pretty.write(t)) fh:close() end + --]] return lace.run(self.lace, context) end |