X-Git-Url: https://git.madduck.net/code/myrepos.git/blobdiff_plain/6ac6acc4892bfcbe166f09b64eaecc420c430106..b1bcef3dd99ffcc1d7140fad5b3a72bebff4a571:/mr?ds=sidebyside diff --git a/mr b/mr index bd6c2d7..d5424ca 100755 --- a/mr +++ b/mr @@ -1184,13 +1184,23 @@ sub loadconfig { } if (! $trusted) { - # Untrusted files can only contain checkout - # parameters. - if ($parameter ne 'checkout') { - trusterror("mr: illegal setting \"$parameter=$value\"", $f, $line, $bootstrap_url); + # Untrusted files can only contain a few + # settings in specific known-safe formats. + if ($parameter eq 'checkout') { + if (! is_trusted_checkout($value)) { + trusterror("mr: illegal checkout command \"$value\"", $f, $line, $bootstrap_url); + } + } + elsif ($parameter eq 'order') { + # not interpreted as a command, so + # safe. } - if (! is_trusted_checkout($value)) { - trusterror("mr: illegal checkout command \"$value\"", $f, $line, $bootstrap_url); + elsif ($value eq 'true' || $value eq 'false') { + # skip=true , deleted=true etc are + # safe. + } + else { + trusterror("mr: illegal setting \"$parameter=$value\"", $f, $line, $bootstrap_url); } }