mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-05 18:50:09 +02:00
git: use /bin/true for 'askpass' to prevent all password prompts
This uses both the env vars and the command line options to ensure that it works with as many versions of git as possible. Also, git-svn uses the env vars, but not necessarily the command line options. This uses /bin/true to pretend that it succesfully got the password. If password auth is truly required, then it will fail further on down the line.
This commit is contained in:
parent
574fa15fce
commit
dd93ee6c9b
@ -815,6 +815,7 @@ class vcs_git(vcs):
|
|||||||
#
|
#
|
||||||
# supported in git >= 2.3
|
# supported in git >= 2.3
|
||||||
git_config = [
|
git_config = [
|
||||||
|
'-c', 'core.askpass=/bin/true',
|
||||||
'-c', 'core.sshCommand=/bin/false',
|
'-c', 'core.sshCommand=/bin/false',
|
||||||
'-c', 'url.https://.insteadOf=ssh://',
|
'-c', 'url.https://.insteadOf=ssh://',
|
||||||
]
|
]
|
||||||
@ -827,6 +828,8 @@ class vcs_git(vcs):
|
|||||||
git_config.append('url.https://u:p@' + domain + '.insteadOf=https://' + domain)
|
git_config.append('url.https://u:p@' + domain + '.insteadOf=https://' + domain)
|
||||||
envs.update({
|
envs.update({
|
||||||
'GIT_TERMINAL_PROMPT': '0',
|
'GIT_TERMINAL_PROMPT': '0',
|
||||||
|
'GIT_ASKPASS': '/bin/true',
|
||||||
|
'SSH_ASKPASS': '/bin/true',
|
||||||
'GIT_SSH': '/bin/false', # for git < 2.3
|
'GIT_SSH': '/bin/false', # for git < 2.3
|
||||||
})
|
})
|
||||||
return FDroidPopen(['git', ] + git_config + args,
|
return FDroidPopen(['git', ] + git_config + args,
|
||||||
@ -960,15 +963,27 @@ class vcs_gitsvn(vcs):
|
|||||||
|
|
||||||
def git(self, args, envs=dict(), cwd=None, output=True):
|
def git(self, args, envs=dict(), cwd=None, output=True):
|
||||||
'''Prevent git fetch/clone/submodule from hanging at the username/password prompt
|
'''Prevent git fetch/clone/submodule from hanging at the username/password prompt
|
||||||
|
|
||||||
|
AskPass is set to /bin/true to let the process try to connect
|
||||||
|
without a username/password.
|
||||||
|
|
||||||
|
The SSH command is set to /bin/false to block all SSH URLs
|
||||||
|
(supported in git >= 2.3). This protects against
|
||||||
|
CVE-2017-1000117.
|
||||||
|
|
||||||
'''
|
'''
|
||||||
# CVE-2017-1000117 block all SSH URLs (supported in git >= 2.3)
|
git_config = [
|
||||||
config = ['-c', 'core.sshCommand=false']
|
'-c', 'core.askpass=/bin/true',
|
||||||
|
'-c', 'core.sshCommand=/bin/false',
|
||||||
|
]
|
||||||
envs.update({
|
envs.update({
|
||||||
'GIT_TERMINAL_PROMPT': '0',
|
'GIT_TERMINAL_PROMPT': '0',
|
||||||
|
'GIT_ASKPASS': '/bin/true',
|
||||||
|
'SSH_ASKPASS': '/bin/true',
|
||||||
'GIT_SSH': '/bin/false', # for git < 2.3
|
'GIT_SSH': '/bin/false', # for git < 2.3
|
||||||
'SVN_SSH': '/bin/false',
|
'SVN_SSH': '/bin/false',
|
||||||
})
|
})
|
||||||
return FDroidPopen(['git', ] + config + args,
|
return FDroidPopen(['git', ] + git_config + args,
|
||||||
envs=envs, cwd=cwd, output=output)
|
envs=envs, cwd=cwd, output=output)
|
||||||
|
|
||||||
def gotorevisionx(self, rev):
|
def gotorevisionx(self, rev):
|
||||||
|
Loading…
Reference in New Issue
Block a user