summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard Maw <richard.maw@gmail.com>2017-01-08 15:20:26 +0000
committerRichard Maw <richard.maw@gmail.com>2017-01-08 15:20:26 +0000
commitea755bc141f9dc3c0ccabe6bb6a7ab6e275afc54 (patch)
tree70ac6036de815f694a8cffcc956d73fd3b1e347d
parent10a1c4f55737b8abb5da9e7e788a394fde0490cc (diff)
downloadgitano-ea755bc141f9dc3c0ccabe6bb6a7ab6e275afc54.tar.gz
testing: Disable variable dump by default
It's a security risk to allow gitano to write to an arbitrary path based on the value of an environment variable. It's low risk since by default gitano is run directly by the http or ssh server, which do not set variables by default, but it's trivial enough to leave it commented out.
-rw-r--r--TESTING3
-rw-r--r--lib/gitano/repository.lua2
2 files changed, 4 insertions, 1 deletions
diff --git a/TESTING b/TESTING
index 1619666..c50744c 100644
--- a/TESTING
+++ b/TESTING
@@ -262,7 +262,8 @@ depends on the operation, and in many cases the data in the repository.
This makes it difficult to know exactly what variables are available.
-To aid with this, if `GITANO_DUMP_VARIABLE_FILE` is set in the environment
+To aid with this uncomment the block in `lib/gitano/lace.lua`
+and if `GITANO_DUMP_VARIABLE_FILE` is set in the environment
it will write a table of variables and the operations they exist in
to the file path in `GITANO_DUMP_VARIABLE_FILE`.
diff --git a/lib/gitano/repository.lua b/lib/gitano/repository.lua
index e48267f..12c0248 100644
--- a/lib/gitano/repository.lua
+++ b/lib/gitano/repository.lua
@@ -165,6 +165,7 @@ end
function repo_method:run_lace(context)
self:populate_context(context)
config.populate_context(self.config, context)
+ --[[ Uncomment this to enable variable dumping.
local vardump = luxio.getenv("GITANO_DUMP_VARIABLE_FILE")
if vardump then
local io = require "io"
@@ -188,6 +189,7 @@ function repo_method:run_lace(context)
fh:write(pretty.write(t))
fh:close()
end
+ --]]
return lace.run(self.lace, context)
end