B<mr> [options] log
+B<mr> [options] bootstrap url
+
B<mr> [options] register [repository]
B<mr> [options] config section ["parameter=[value]" ...]
contains no other registered repositories, it will stay in that directory,
and work on only that repository,
+B<mr> is configured by .mrconfig files, which list the repositories. It
+starts by reading the .mrconfig file in your home directory, and this can
+in turn chain load .mrconfig files from repositories.
+
These predefined commands should be fairly familiar to users of any revision
control system:
=over 4
+=item bootstrap url
+
+Causes mr to download the url, save it to a .mrconfig file in the
+current directory, and then check out all repositories listed in it.
+
=item list (or ls)
List the repositories that mr will act on.
Use the specified mrconfig file. The default is B<~/.mrconfig>
+=item -p
+
+Search in the current directory, and its parent directories and use
+the first B<.mrconfig> found, instead of the default B<~/.mrconfig>.
+
=item -v
Be verbose.
ssh connection limits. Running between 3 and 5 jobs at a time will yield
a good speedup in updates without loading the machine too much.
-=back
+=item -t
-=head1 FILES
+Trust all mrconfig files even if they are not listed in ~/.mrtrust.
+Use with caution.
+
+=back
-B<mr> is configured by .mrconfig files. It starts by reading the .mrconfig
-file in your home directory, and this can in turn chain load .mrconfig files
-from repositories.
+=head1 "MRCONFIG FILES"
Here is an example .mrconfig file:
=item chain
If the "chain" parameter is set and its command returns true, then B<mr>
-will try to load a .mrconfig file from the root of the repository. (You
-should avoid chaining from repositories with untrusted committers.)
+will try to load a .mrconfig file from the root of the repository.
=item include
or even to add other commands for 'mr online' to run. If the file is
present, mr assumes it is in offline mode.
+=head "UNTRUSTED MRCONFIG FILES"
+
+Since mrconfig files can contain arbitrary shell commands, they can do
+anything. This flexability is good, but it also allows a malicious mrconfig
+file to delete your whole home directory. Such a file might be contained
+inside a repository that your main ~/.mrconfig checks out and chains to. To
+avoid worries about evil commands in a mrconfig file, mr
+has the ability to read mrconfig files in untrusted mode. Such files are
+limited to running only known safe commands (like "git clone") in a
+carefully checked manner.
+
+By default, mr trusts all mrconfig files. (This default will change in a
+future release!) But if you have a ~/.mrtrust file, mr will only trust
+mrconfig files that are listed within it. (One file per line.) All other
+files will be treated as untrusted.
+
=head1 EXTENSIONS
mr can be extended to support things such as unison and git-svn. Some
=head1 AUTHOR
-Copyright 2007 Joey Hess <joey@kitenet.net>
+Copyright 2007-2009 Joey Hess <joey@kitenet.net>
Licensed under the GNU GPL version 2 or higher.
my $max_depth;
my $no_chdir=0;
my $jobs=1;
+my $trust_all=0;
my $directory=getcwd();
$ENV{MR_CONFIG}="$ENV{HOME}/.mrconfig";
return $val;
}
+my %trusted;
+sub is_trusted_config {
+ my $config=shift; # must be abs_pathed already
+
+ # We always trust ~/.mrconfig.
+ return 1 if $config eq abs_path("$ENV{HOME}/.mrconfig");
+
+ return 1 if $trust_all;
+
+ my $trustfile=$ENV{HOME}."/.mrtrust";
+
+ if (! -e $trustfile) {
+ print "mr: Assuming $config is trusted.\n";
+ print "mr: For better security, you are encouraged to create ~/.mrtrust\n";
+ print "mr: and list all trusted mrconfig files in it.\n";
+ return 1;
+ }
+
+ if (! %trusted) {
+ $trusted{"$ENV{HOME}/.mrconfig"}=1;
+ open (TRUST, "<", $trustfile) || die "$trustfile: $!";
+ while (<TRUST>) {
+ chomp;
+ s/^~\//$ENV{HOME}\//;
+ $trusted{abs_path($_)}=1;
+ }
+ close TRUST;
+ }
+
+ return $trusted{$config};
+}
+
+
+sub is_trusted_repo {
+ my $repo=shift;
+
+ # Tightly limit what is allowed in a repo name.
+ # No ../, no absolute paths, and no unusual filenames
+ # that might try to escape to the shell.
+ return $repo =~ /^[-_.+\/A-Za-z0-9]+$/ &&
+ $repo !~ /\.\./ && $repo !~ /^\//;
+}
+
+sub is_trusted_checkout {
+ my $command=shift;
+
+ # To determine if the command is safe, compare it with the
+ # *_trusted_checkout config settings. Those settings are
+ # templates for allowed commands, so make sure that each word
+ # of the command matches the corresponding word of the template.
+
+ my @words;
+ foreach my $word (split(' ', $command)) {
+ # strip quoting
+ if ($word=~/^'(.*)'$/) {
+ $word=$1;
+ }
+ elsif ($word=~/^"(.*)"$/) {
+ $word=$1;
+ }
+
+ push @words, $word;
+ }
+
+ foreach my $key (grep { /_trusted_checkout$/ }
+ keys %{$config{''}{DEFAULT}}) {
+ my @twords=split(' ', $config{''}{DEFAULT}{$key});
+ next if @words > @twords;
+
+ my $match=1;
+ my $url;
+ for (my $c=0; $c < @twords && $match; $c++) {
+ if ($twords[$c] eq '$url') {
+ # Match all the typical characters found in
+ # urls, plus @ which svn can use. Note
+ # that the "url" might also be a local
+ # directory.
+ $match=(
+ defined $words[$c] &&
+ $words[$c] =~ /^[-_.+:@\/A-Za-z0-9]+$/
+ );
+ $url=$words[$c];
+ }
+ elsif ($twords[$c] eq '$repo') {
+ # If a repo is not specified, assume it
+ # will be the last path component of the
+ # url, or something derived from it, and
+ # check that.
+ if (! defined $words[$c] && defined $url) {
+ ($words[$c])=$url=~/\/([^\/]+)\/?$/;
+ }
+
+ $match=(
+ defined $words[$c] &&
+ is_trusted_repo($words[$c])
+ );
+ }
+ elsif (defined $words[$c] && $twords[$c] eq $words[$c]) {
+ $match=1;
+ }
+ else {
+ $match=0;
+ }
+ }
+ return 1 if $match;
+ }
+
+ return 0;
+}
+
my %loaded;
sub loadconfig {
my $f=shift;
my $in;
my $dir;
+ my $trusted;
if (ref $f eq 'GLOB') {
$dir="";
- $in=$f;
+ $in=$f;
+ $trusted=1;
}
else {
if (! -e $f) {
}
$loaded{$absf}=1;
+ $trusted=is_trusted_config($absf);
+
($dir)=$f=~/^(.*\/)[^\/]+$/;
if (! defined $dir) {
$dir=".";
chomp;
next if /^\s*\#/ || /^\s*$/;
if (/^\[([^\]]*)\]\s*$/) {
- $section=expandenv($1);
+ $section=$1;
+
+ if (! $trusted) {
+ if (! is_trusted_repo($section) ||
+ $section eq 'ALIAS' ||
+ $section eq 'DEFAULT') {
+ die "mr: illegal section \"[$section]\" in untrusted $f line $line\n";
+ }
+ }
+ $section=expandenv($section) if $trusted;
}
elsif (/^(\w+)\s*=\s*(.*)/) {
my $parameter=$1;
chomp $value;
}
+ if (! $trusted) {
+ # Untrusted files can only contain checkout
+ # parameters.
+ if ($parameter ne 'checkout') {
+ die "mr: illegal setting \"$parameter=$value\" in untrusted $f line $line\n";
+ }
+ if (! is_trusted_checkout($value)) {
+ die "mr: illegal checkout command \"$value\" in untrusted $f line $line\n";
+ }
+ }
+
if ($parameter eq "include") {
print "mr: including output of \"$value\"\n" if $verbose;
unshift @lines, `$value`;
elsif ($action eq 'register') {
register(@ARGV);
}
+ elsif ($action eq 'bootstrap') {
+ bootstrap();
+ }
elsif ($action eq 'remember' ||
$action eq 'offline' ||
$action eq 'online') {
exec($command) || die "exec: $!";
}
+sub bootstrap {
+ my $url=shift @ARGV;
+
+ if (! defined $url || ! length $url) {
+ die "mr: bootstrap requires url\n";
+ }
+
+ if (-e ".mrconfig") {
+ die "mr: .mrconfig file already exists, not overwriting with $url\n";
+ }
+
+ if (system("curl", "-s", $url, "-o", ".mrconfig") != 0) {
+ die "mr: download of $url failed\n";
+ }
+
+ exec("mr $ENV{MR_SWITCHES} -c .mrconfig checkout");
+ die "failed to run mr checkout";
+}
+
# alias expansion and command stemming
sub expandaction {
my $action=shift;
return $action;
}
+sub find_nearest_mrconfig {
+ my $dir=getcwd();
+ while (length $dir) {
+ if (-e "$dir/.mrconfig") {
+ return "$dir/.mrconfig";
+ }
+ $dir=~s/\/[^\/]*$//;
+ }
+ die "no .mrconfig found in path\n";
+}
+
sub getopts {
my @saved=@ARGV;
Getopt::Long::Configure("bundling", "no_permute");
my $result=GetOptions(
"d|directory=s" => sub { $directory=abs_path($_[1]) },
"c|config=s" => sub { $ENV{MR_CONFIG}=$_[1]; $config_overridden=1 },
+ "p|path" => sub { $ENV{MR_CONFIG}=find_nearest_mrconfig(); $config_overridden=1 },
"v|verbose" => \$verbose,
"q|quiet" => \$quiet,
"s|stats" => \$stats,
"i|interactive" => \$interactive,
"n|no-recurse:i" => \$max_depth,
"j|jobs:i" => \$jobs,
+ "t|trust-all" => \$trust_all,
);
if (! $result || @ARGV < 1) {
- die("Usage: mr [-d directory] action [params ...]\n".
+ die("Usage: mr [options] action [params ...]\n".
"(Use mr help for man page.)\n");
}
svn_update = svn update "$@"
git_update = git pull "$@"
-bzr_update = bzr merge "$@"
+bzr_update = bzr merge --pull "$@"
cvs_update = cvs update "$@"
hg_update = hg pull "$@" && hg update "$@"
darcs_update = darcs pull -a "$@"
echo "Registering git url: $url in $MR_CONFIG"
mr -c "$MR_CONFIG" config "`pwd`" checkout="git clone --bare '$url' '$MR_REPO'"
+svn_trusted_checkout = svn co $url $repo
+svn_alt_trusted_checkout = svn checkout $url $repo
+git_trusted_checkout = git clone $url $repo
+bzr_trusted_checkout = bzr clone $url $repo
+# cvs: too hard
+hg_trusted_checkout = hg clone $url $repo
+darcs_trusted_checkout = darcs get $url $repo
+git_bare_trusted_checkout = git clone --bare $url $repo
+
help =
if [ ! -e "$MR_PATH" ]; then
error "cannot find program path"
man -l "$tmp" || error "man failed"
list = true
config =
+bootstrap =
online =
if [ -s ~/.mrlog ]; then