Merge tag 'v3.6.11'gitolite-gentoo-3.6.11

v3.6.11

5 files changed, 21 insertions, 13 deletions

diff --git a/CHANGELOG b/CHANGELOG
index dd5f1d3..9cb5ffb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+2019-01-08  v3.6.11 fix security issue in 'rsync' (bundle helper); see commit
+                    5df2b81 for more
+
 2018-09-30  v3.6.10 fix up boo-boo caused by previous release; see mails on
                     list for details
 
diff --git a/README.markdown b/README.markdown
index d821a1d..550759c 100644
--- a/README.markdown
+++ b/README.markdown
@@ -213,7 +213,7 @@ you; try running "gitolite help".
 
 # contact and support
 
-Please see <http://gitolite.com/gitolite/#contact> for mailing list and IRC
+Please see <http://gitolite.com/gitolite/#contactsupport> for mailing list and IRC
 info.
 
 # license
diff --git a/contrib/utils/testconf b/contrib/utils/testconf
index 5fa9194..03580f9 100755
--- a/contrib/utils/testconf
+++ b/contrib/utils/testconf
@@ -72,6 +72,14 @@
 # which will give you a much nicer output.  The only issue is if you have
 # include files, you will need to put that in the file whose name is sorted
 # first!
+#
+# Using a non-default ".gitolite.rc"
+# ==================================
+#
+# If your conf needs a non-default `~/.gitolite.rc`, copy the file you need as
+# "testconf.gitolite.rc" in the root directory of the gitolite-admin clone
+# where you are running "testconf".  (Whether you commit this file to the
+# gitolite-admin repo, or keep it local/untracked, is your call).
 
 # ----------------------------------------------------------------------
 od=$PWD
@@ -106,6 +114,9 @@ rm -rf           $testconf/.gitolite/conf
 mkdir -p         $testconf/.gitolite/conf
 cp -a $od/conf/* $testconf/.gitolite/conf/
 
+# copy rc from $od, if it exists
+[ -f $od/testconf.gitolite.rc ] && cp $od/testconf.gitolite.rc $testconf/.gitolite.rc
+
 # compile+
 
 gitolite compile
diff --git a/src/commands/option b/src/commands/option
index de49aab..de49aab 100644..100755
--- a/src/commands/option
+++ b/src/commands/option
diff --git a/src/commands/rsync b/src/commands/rsync
index 1109ac4..c7b25d1 100755
--- a/src/commands/rsync
+++ b/src/commands/rsync
@@ -28,11 +28,6 @@ BUNDLE SUPPORT
 
     (2) Add 'rsync' to the ENABLE list in the rc file
 
-
-GENERIC RSYNC SUPPORT
-
-    TBD
-
 =cut
 
 =for usage
@@ -43,7 +38,7 @@ BUNDLE SUPPORT
     Admins: see src/commands/rsync for setup instructions
 
     Users:
-        rsync -P git@host:repo.bundle .
+        rsync git@host:repo.bundle .
             # downloads a file called "<basename of repo>.bundle"; repeat as
             # needed till the whole thing is downloaded
         git clone repo.bundle repo
@@ -51,9 +46,8 @@ BUNDLE SUPPORT
         git remote set-url origin git@host:repo
         git fetch origin    # and maybe git pull, etc. to freshen the clone
 
-GENERIC RSYNC SUPPORT
-
-    TBD
+    NOTE on options to the rsync command: you are only allowed to use the
+    "-v", "-n", "-q", and "-P" options.
 
 =cut
 
@@ -62,9 +56,9 @@ usage() if not @ARGV or $ARGV[0] eq '-h';
 # rsync driver program.  Several things can be done later, but for now it
 # drives just the 'bundle' transfer.
 
-if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (-[-\w=.]+ )+\. (\S+)\.bundle$/ ) {
+if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (?:-[vn]*(?:e\d*\.\w*)? )?\. (\S+)\.bundle$/ ) {
 
-    my $repo = $2;
+    my $repo = $1;
     $repo =~ s/\.git$//;
 
     # all errors have the same message to avoid leaking info
@@ -81,7 +75,7 @@ if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (-[-\w=.]+ )+\. (\S
     exit 0;
 }
 
-_warn "invalid rsync command '$ENV{SSH_ORIGINAL_COMMAND}'";
+_warn "Sorry, you are only allowed to use the '-v', '-n', '-q', and '-P' options.";
 usage();
 
 # ----------------------------------------------------------------------