From mboxrd@z Thu Jan  1 00:00:00 1970
From: mathstuf at gmail.com (Ben Boeckel)
Date: Sun, 28 Oct 2012 01:00:29 +0000 (UTC)
Subject: [PATCHv2 2/3] Add ability to authorize viewing a repository
References: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de>
 <1350894558-24840-2-git-send-email-valentin.haenel@gmx.de>
Message-ID: <k6i03d$mp0$3@ger.gmane.org>

On Mon, Oct 22, 2012 at 08:29:17 GMT, Valentin Haenel wrote:
> @@ -554,6 +557,25 @@ static void process_request(void *cbdata)
>  		return;
>  	}
>  
> +	/* Here we do the authorization check.
> +	 *
> +	 * TODO figure out if this is the correct place to do the check
> +	 *
> +	 */
> +	if (ctx->cfg.authz_exec && ctx->repo &&
> +					system(fmt("%s %s %s",

Single quote the arguments to the executable. This is ripe for code
execution (remote_user is under attacker's control).

> +					ctx->cfg.authz_exec,
> +					ctx->repo->name,
> +					ctx->env.remote_user)) != 0) {
> +		cgit_print_http_headers(ctx);
> +		cgit_print_docstart(ctx);
> +		cgit_print_pageheader(ctx);
> +		cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'",
> +					ctx->repo->name, ctx->env.remote_user));
> +		cgit_print_docend();
> +		return;
> +	}
> +
>  	if (ctx->repo && prepare_repo_cmd(ctx))
>  		return;
>  
> diff --git a/cgit.h b/cgit.h
> index 016baa8e7d..14fc2fb777 100644
> --- a/cgit.h
> +++ b/cgit.h
> @@ -167,6 +167,7 @@ struct cgit_query {
>  struct cgit_config {
>  	char *agefile;
>  	char *user_envvar;
> +	char *authz_exec;

Where is this free'd?

-- Ben