Fossil

Check-in [abd05f29]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:add privilege check to hook execution
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | StvPrivateHook2
Files: files | file ages | folders
SHA1:abd05f296e238c348c1f7d230d0f7aff52f044b3
User & Date: wolfgang 2010-10-23 17:02:07
Context
2010-10-24
06:53
add missing; check-in: e9fcc9af user: Ratte tags: StvPrivateHook2
2010-10-23
17:02
add privilege check to hook execution check-in: abd05f29 user: wolfgang tags: StvPrivateHook2
07:23
added hook info to sync/push help check-in: ba5e0344 user: Ratte tags: StvPrivateHook2
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/db.c.

1530
1531
1532
1533
1534
1535
1536


1537
1538
1539
1540
1541
1542
1543
....
1628
1629
1630
1631
1632
1633
1634





1635
1636
1637
1638
1639
1640
1641
  { "push-hook-cmd", 0,               32, ""                    },
  { "push-hook-force",
                     0,                0, ""                    },
  { "push-hook-pattern-client",
                     0,               32, ""                    },
  { "push-hook-pattern-server",
                     0,               32, ""                    },


  { "ssh-command",   0,               32, ""                    },
  { "web-browser",   0,               32, ""                    },
  { 0,0,0,0 }
};

/*
** COMMAND: settings
................................................................................
**                  server, to activate the push hook command.
**
**    push-hook-pattern-server
**                  if set, and a client send this pattern at the end of
**                  a push, the push hook command will be executed. This
**                  might be a prefix of the pattern, sent by the client.
**





**    ssh-command   Command used to talk to a remote machine with
**                  the "ssh://" protocol.
**
**    web-browser   A shell command used to launch your preferred
**                  web browser when given a URL as an argument.
**                  Defaults to "start" on windows, "open" on Mac,
**                  and "firefox" on Unix.







>
>







 







>
>
>
>
>







1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
....
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
  { "push-hook-cmd", 0,               32, ""                    },
  { "push-hook-force",
                     0,                0, ""                    },
  { "push-hook-pattern-client",
                     0,               32, ""                    },
  { "push-hook-pattern-server",
                     0,               32, ""                    },
  { "push-hook-privilege",
                     0,               1,  ""                    },
  { "ssh-command",   0,               32, ""                    },
  { "web-browser",   0,               32, ""                    },
  { 0,0,0,0 }
};

/*
** COMMAND: settings
................................................................................
**                  server, to activate the push hook command.
**
**    push-hook-pattern-server
**                  if set, and a client send this pattern at the end of
**                  a push, the push hook command will be executed. This
**                  might be a prefix of the pattern, sent by the client.
**
**    push-hook-privilege
**                  if set, the user doing the push needs this privilege
**                  to trigger the hook. Valid privileges are:
**                    s (setup), a (admin), i (checkin) or o (checkout)
**
**    ssh-command   Command used to talk to a remote machine with
**                  the "ssh://" protocol.
**
**    web-browser   A shell command used to launch your preferred
**                  web browser when given a URL as an argument.
**                  Defaults to "start" on windows, "open" on Mac,
**                  and "firefox" on Unix.

Changes to src/xfer.c.

89
90
91
92
93
94
95


96























97
98
99
100
101
102
103
104
void post_push_hook(char const * const zPushHookLine, const char requestType){
  /*
  ** TO DO: get the string cmd from a config file? Or the database local
  ** settings, as someone suggested? Ditto output and error logs. /fatman
  */
  const char *zCmd = db_get("push-hook-cmd", "");
  int allowForced = db_get_boolean("push-hook-force", 0);


























  if( requestType!='P' &&  requestType!='C' && requestType!='F' ){
    fossil_print("Push hook wrong request type '%c'\n", requestType);
  }else if( requestType=='F' && !allowForced ){
    fossil_print("Forced push call from client not allowed,"
                 " skipping call for '%s'\n", zPushHookLine);
  }else if( zCmd && zCmd[0] ){
    int rc;
    char * zCalledCmd;







>
>

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|







89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
void post_push_hook(char const * const zPushHookLine, const char requestType){
  /*
  ** TO DO: get the string cmd from a config file? Or the database local
  ** settings, as someone suggested? Ditto output and error logs. /fatman
  */
  const char *zCmd = db_get("push-hook-cmd", "");
  int allowForced = db_get_boolean("push-hook-force", 0);
  const char *zHookPriv = db_get("push-hook-privilege","");
  int privOk = 0;

  if( zHookPriv && *zHookPriv ){
    switch( *zHookPriv ){
      
      case 's':
        if( g.okSetup ) privOk = 1;
        break;
      case 'a':
        if( g.okAdmin ) privOk = 1;
        break;
      case 'i':
        if( g.okWrite ) privOk = 1;
        break;
      case 'o':
        if( g.okRead ) privOk = 1;
        break;
      default
        fossil_print("Push hook wrong privilege type '%s'\n", zHookPriv);
    }
  }else{
    privOk = 1;
  }
  if( !privOk ){
    fossil_print("No privilege to activate hook!\n");
  }else if( requestType!='P' &&  requestType!='C' && requestType!='F' ){
    fossil_print("Push hook wrong request type '%c'\n", requestType);
  }else if( requestType=='F' && !allowForced ){
    fossil_print("Forced push call from client not allowed,"
                 " skipping call for '%s'\n", zPushHookLine);
  }else if( zCmd && zCmd[0] ){
    int rc;
    char * zCalledCmd;