diff options
| author | Richard Maw <richard.maw@gmail.com> | 2016-09-24 16:05:21 +0100 |
|---|---|---|
| committer | Richard Maw <richard.maw@gmail.com> | 2016-09-24 16:43:03 +0100 |
| commit | ff55c4ca98d48bbd87297217501c3de7ac1babe2 (patch) | |
| tree | 2912c7e10a78da4572ff727f61c4349d251bd1ef /lib | |
| parent | 7b4c305e0987833b7d2b9d72fbb06cd35b4c4712 (diff) | |
| download | gitano-ff55c4ca98d48bbd87297217501c3de7ac1babe2.tar.gz | |
copy: Don't leak the existence of repositories
Previously copy would report that the target existed before running ACLs.
While saving a bunch of effort by reporting this early,
this means you can see if a repository exists by copying to it
even if you haven't got read access to the repository.
This is now changed to only report that after the writability check.
This has been moved to before the creation check
since for the sake of error reporting
we should check in order of ascending privilege,
and post-write-check is the earliest we can reveal the repository's existence.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitano/copycommand.lua | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/lib/gitano/copycommand.lua b/lib/gitano/copycommand.lua index 6645dd2..f395d70 100644 --- a/lib/gitano/copycommand.lua +++ b/lib/gitano/copycommand.lua @@ -35,10 +35,6 @@ local function builtin_copy_validate(config, srcrepo, cmdline) log.fatal("Cannot continue") return false end - if not tgtrepo.is_nascent then - log.error("Repository", tgtrepo.name, "already exists") - return false - end cmdline.tgtrepo = tgtrepo return true end @@ -52,16 +48,22 @@ local function builtin_copy_prep(config, srcrepo, cmdline, context) if action ~= "allow" then return action, reason end - -- Check 2, target repository can be created + -- Check 2, target repository can be written to ctx = util.deep_copy(context) - ctx.operation = "createrepo" + ctx.operation = "write" action, reason = cmdline.tgtrepo:run_lace(ctx) if action ~= "allow" then return action, reason end - -- Check 3, target repository can be written to + -- Check 3, target repository does not already exist + -- We knew this for a while but failing earlier would leak its existence. + if not cmdline.tgtrepo.is_nascent then + log.error("Repository", cmdline.tgtrepo.name, "already exists") + return "deny", "Repository already exists" + end + -- Check 4, target repository can be created ctx = util.deep_copy(context) - ctx.operation = "write" + ctx.operation = "createrepo" action, reason = cmdline.tgtrepo:run_lace(ctx) if action ~= "allow" then return action, reason |