[darcs-users] suggestion: each push should identify its target repo internally

Zack Brown zbrown at tumblerings.org
Thu Aug 14 00:33:51 UTC 2003


Something else just occurred to me - assuming darcs always looks for the
GNUPG keys in _darcs, then there should be no risk at all in letting the
user push with a URL, or a relative path name.

As long as darcs confirms that (a) the URL or path name points to a repository,
and (b) the push is properly signed by someone with permission to push,
then it doesn't matter what the path is. The path either leads to a
repository that provides access to that user or it doesn't. End of
story.

So, just to recap. The procmail recipe is something like

:0:
* ^DarcsURL:
| darcs apply -r

An email comes into the system with a URL or path name in the "DarcsURL"
field. the email is piped to darcs. If DarcsURL has a URL, then darcs reads
the web server config files to find the mapping to a path. If DarcsURL just
has a path, darcs uses that. Once the path is known, darcs checks there
to see if it's a valid repo. If so, it checks _darcs for the allowed_keys
file, and verifies the signature of the push. If the signature is invalid,
darcs abandons the push, and no harm done. If the signature is valid, darcs
completes the 'apply' and sends out appropriate emails.

So if this makes sense, then the main thing under contention is how
darcs determines the mapping from URL to directory path. I think using
the web server config files is a good way because it's non-redundant,
but there are arguments to be made for other ideas. Regardless of how
that mapping ultimately gets done, does the rest of this make sense?

Be well,
Zack

On Wed, Aug 13, 2003 at 12:39:21PM -0700, John Meacham wrote:
> ack, I wouldn't want references to paths on my system to escape. 
> 
> In any case, it seems clear that there would be security issues if the
> client were allowed to specify arbitrary paths or modify the url
> parameter to something which is not exported.
> 
> The solution I am thinking of is a config file, where you explicitly
> list
> (public URL, internal path to repository, allowed_keys)  triples.
> this file is what would be passed as an option to darcs-patcher and it
> would use it to resolve where incoming patches should go and bounce any
> that refer to an invalid URL. I think trying to interpret the value as
> anything other than a key in a lookup table would lead to possible
> security issues.
> 
> this also makes setting up new repositories very simple, no need to mess
> with procmail or whatnot, just add a new entry to this file and export
> your repository. 
> 
>         John
> 
> -- 
> ---------------------------------------------------------------------------
> John Meacham - California Institute of Technology, Alum. - john at foo.net
> ---------------------------------------------------------------------------
> 
> _______________________________________________
> darcs-users mailing list
> darcs-users at abridgegame.org
> http://www.abridgegame.org/mailman/listinfo/darcs-users

-- 
Zack Brown




More information about the darcs-users mailing list