]> git.madduck.net Git - code/myrepos.git/blobdiff - mr

madduck's git repository

Every one of the projects in this repository is available at the canonical URL git://git.madduck.net/madduck/pub/<projectpath> — see each project's metadata for the exact URL.

All patches and comments are welcome. Please squash your changes to logical commits before using git-format-patch and git-send-email to patches@git.madduck.net. If you'd read over the Git project's submission guidelines and adhered to them, I'd be especially grateful.

SSH access, as well as push access can be individually arranged.

If you use my repositories frequently, consider adding the following snippet to ~/.gitconfig and using the third clone URL listed for each project:

[url "git://git.madduck.net/madduck/"]
  insteadOf = madduck:

Allow untrusted mrconfig files to set parameters to true/false
[code/myrepos.git] / mr
diff --git a/mr b/mr
index bd6c2d73d90656a332ec9f12acd6d1d47a1fd036..d5424caa2eed10a3ff23d1fe81d58bf5060b7b25 100755 (executable)
--- a/mr
+++ b/mr
@@ -1184,13 +1184,23 @@ sub loadconfig {
                        }
 
                        if (! $trusted) {
                        }
 
                        if (! $trusted) {
-                               # Untrusted files can only contain checkout
-                               # parameters.
-                               if ($parameter ne 'checkout') {
-                                       trusterror("mr: illegal setting \"$parameter=$value\"", $f, $line, $bootstrap_url);
+                               # Untrusted files can only contain a few
+                               # settings in specific known-safe formats.
+                               if ($parameter eq 'checkout') {
+                                       if (! is_trusted_checkout($value)) {
+                                               trusterror("mr: illegal checkout command \"$value\"", $f, $line, $bootstrap_url);
+                                       }
+                               }
+                               elsif ($parameter eq 'order') {
+                                       # not interpreted as a command, so
+                                       # safe.
                                }
                                }
-                               if (! is_trusted_checkout($value)) {
-                                       trusterror("mr: illegal checkout command \"$value\"", $f, $line, $bootstrap_url);
+                               elsif ($value eq 'true' || $value eq 'false') {
+                                       # skip=true , deleted=true etc are
+                                       # safe.
+                               }
+                               else {
+                                       trusterror("mr: illegal setting \"$parameter=$value\"", $f, $line, $bootstrap_url);
                                }
                        }
 
                                }
                        }