contains no other registered repositories, it will stay in that directory,
and work on only that repository,
+B<mr> is configured by .mrconfig files, which list the repositories. It
+starts by reading the .mrconfig file in your home directory, and this can
+in turn chain load .mrconfig files from repositories.
+
These predefined commands should be fairly familiar to users of any revision
control system:
Causes mr to download the url, save it to a .mrconfig file in the
current directory, and then check out all repositories listed in it.
-(Please only do this if you have reason to trust the url, since
-mrconfig files can contain arbitrary commands!)
-
=item list (or ls)
List the repositories that mr will act on.
ssh connection limits. Running between 3 and 5 jobs at a time will yield
a good speedup in updates without loading the machine too much.
-=back
+=item -t
-=head1 FILES
+Trust all mrconfig files even if they are not listed in ~/.mrtrust.
+Use with caution.
-B<mr> is configured by .mrconfig files. It starts by reading the .mrconfig
-file in your home directory, and this can in turn chain load .mrconfig files
-from repositories.
+=back
+
+=head1 "MRCONFIG FILES"
Here is an example .mrconfig file:
=item chain
If the "chain" parameter is set and its command returns true, then B<mr>
-will try to load a .mrconfig file from the root of the repository. (You
-should avoid chaining from repositories with untrusted committers.)
+will try to load a .mrconfig file from the root of the repository.
=item include
or even to add other commands for 'mr online' to run. If the file is
present, mr assumes it is in offline mode.
+=head "UNTRUSTED MRCONFIG FILES"
+
+Since mrconfig files can contain arbitrary shell commands, they can do
+anything. This flexability is good, but it also allows a malicious mrconfig
+file to delete your whole home directory. Such a file might be contained
+inside a repository that your main ~/.mrconfig checks out and chains to. To
+avoid worries about evil commands in a mrconfig file, mr
+has the ability to read mrconfig files in untrusted mode. Such files are
+limited to running only known safe commands (like "git clone") in a
+carefully checked manner.
+
+By default, mr trusts all mrconfig files. (This default will change in a
+future release!) But if you have a ~/.mrtrust file, mr will only trust
+mrconfig files that are listed within it. (One file per line.) All other
+files will be treated as untrusted.
+
=head1 EXTENSIONS
mr can be extended to support things such as unison and git-svn. Some
my $max_depth;
my $no_chdir=0;
my $jobs=1;
+my $trust_all=0;
my $directory=getcwd();
$ENV{MR_CONFIG}="$ENV{HOME}/.mrconfig";
return $val;
}
+my %trusted;
+sub is_trusted_config {
+ my $config=shift; # must be abs_pathed already
+
+ # We always trust ~/.mrconfig.
+ return 1 if $config eq abs_path("$ENV{HOME}/.mrconfig");
+
+ return 1 if $trust_all;
+
+ my $trustfile=$ENV{HOME}."/.mrtrust";
+
+ if (! -e $trustfile) {
+ print "mr: Assuming $config is trusted.\n";
+ print "mr: For better security, you are encouraged to create ~/.mrtrust\n";
+ print "mr: and list all trusted mrconfig files in it.\n";
+ return 1;
+ }
+
+ if (! %trusted) {
+ $trusted{"$ENV{HOME}/.mrconfig"}=1;
+ open (TRUST, "<", $trustfile) || die "$trustfile: $!";
+ while (<TRUST>) {
+ chomp;
+ s/^~\//$ENV{HOME}\//;
+ $trusted{abs_path($_)}=1;
+ }
+ close TRUST;
+ }
+
+ return $trusted{$config};
+}
+
+
+sub is_trusted_repo {
+ my $repo=shift;
+
+ # Tightly limit what is allowed in a repo name.
+ # No ../, no absolute paths, and no unusual filenames
+ # that might try to escape to the shell.
+ return $repo =~ /^[-_.+\/A-Za-z0-9]+$/ &&
+ $repo !~ /\.\./ && $repo !~ /^\//;
+}
+
+sub is_trusted_checkout {
+ my $command=shift;
+
+ # To determine if the command is safe, compare it with the
+ # *_trusted_checkout config settings. Those settings are
+ # templates for allowed commands, so make sure that each word
+ # of the command matches the corresponding word of the template.
+
+ my @words;
+ foreach my $word (split(' ', $command)) {
+ # strip quoting
+ if ($word=~/^'(.*)'$/) {
+ $word=$1;
+ }
+ elsif ($word=~/^"(.*)"$/) {
+ $word=$1;
+ }
+
+ push @words, $word;
+ }
+
+ foreach my $key (grep { /_trusted_checkout$/ }
+ keys %{$config{''}{DEFAULT}}) {
+ my @twords=split(' ', $config{''}{DEFAULT}{$key});
+ next if @words > @twords;
+
+ my $match=1;
+ my $url;
+ for (my $c=0; $c < @twords && $match; $c++) {
+ if ($twords[$c] eq '$url') {
+ # Match all the typical characters found in
+ # urls, plus @ which svn can use. Note
+ # that the "url" might also be a local
+ # directory.
+ $match=(
+ defined $words[$c] &&
+ $words[$c] =~ /^[-_.+:@\/A-Za-z0-9]+$/
+ );
+ $url=$words[$c];
+ }
+ elsif ($twords[$c] eq '$repo') {
+ # If a repo is not specified, assume it
+ # will be the last path component of the
+ # url, or something derived from it, and
+ # check that.
+ if (! defined $words[$c] && defined $url) {
+ ($words[$c])=$url=~/\/([^\/]+)\/?$/;
+ }
+
+ $match=(
+ defined $words[$c] &&
+ is_trusted_repo($words[$c])
+ );
+ }
+ elsif (defined $words[$c] && $twords[$c] eq $words[$c]) {
+ $match=1;
+ }
+ else {
+ $match=0;
+ }
+ }
+ return 1 if $match;
+ }
+
+ return 0;
+}
+
my %loaded;
sub loadconfig {
my $f=shift;
my $in;
my $dir;
+ my $trusted;
if (ref $f eq 'GLOB') {
$dir="";
- $in=$f;
+ $in=$f;
+ $trusted=1;
}
else {
if (! -e $f) {
}
$loaded{$absf}=1;
+ $trusted=is_trusted_config($absf);
+
($dir)=$f=~/^(.*\/)[^\/]+$/;
if (! defined $dir) {
$dir=".";
chomp;
next if /^\s*\#/ || /^\s*$/;
if (/^\[([^\]]*)\]\s*$/) {
- $section=expandenv($1);
+ $section=$1;
+
+ if (! $trusted) {
+ if (! is_trusted_repo($section) ||
+ $section eq 'ALIAS' ||
+ $section eq 'DEFAULT') {
+ die "mr: illegal section \"[$section]\" in untrusted $f line $line\n";
+ }
+ }
+ $section=expandenv($section) if $trusted;
}
elsif (/^(\w+)\s*=\s*(.*)/) {
my $parameter=$1;
chomp $value;
}
+ if (! $trusted) {
+ # Untrusted files can only contain checkout
+ # parameters.
+ if ($parameter ne 'checkout') {
+ die "mr: illegal setting \"$parameter=$value\" in untrusted $f line $line\n";
+ }
+ if (! is_trusted_checkout($value)) {
+ die "mr: illegal checkout command \"$value\" in untrusted $f line $line\n";
+ }
+ }
+
if ($parameter eq "include") {
print "mr: including output of \"$value\"\n" if $verbose;
unshift @lines, `$value`;
"i|interactive" => \$interactive,
"n|no-recurse:i" => \$max_depth,
"j|jobs:i" => \$jobs,
+ "t|trust-all" => \$trust_all,
);
if (! $result || @ARGV < 1) {
- die("Usage: mr [-d directory] action [params ...]\n".
+ die("Usage: mr [options] action [params ...]\n".
"(Use mr help for man page.)\n");
}
echo "Registering git url: $url in $MR_CONFIG"
mr -c "$MR_CONFIG" config "`pwd`" checkout="git clone --bare '$url' '$MR_REPO'"
+svn_trusted_checkout = svn co $url $repo
+svn_alt_trusted_checkout = svn checkout $url $repo
+git_trusted_checkout = git clone $url $repo
+bzr_trusted_checkout = bzr clone $url $repo
+# cvs: too hard
+hg_trusted_checkout = hg clone $url $repo
+darcs_trusted_checkout = darcs get $url $repo
+git_bare_trusted_checkout = git clone --bare $url $repo
+
help =
if [ ! -e "$MR_PATH" ]; then
error "cannot find program path"