From: Kunal Mehta Date: Sun, 3 Dec 2017 07:19:24 +0000 (-0800) Subject: GitInfo: Fix shell restrictions for submodules X-Git-Tag: 1.31.0-rc.0~1258^2 X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=0d1a6a4d1fa18ee1048f9794fb497eda1c2b28df;hp=808e45d13d400256d36cfcd95e79a567197d9a8b GitInfo: Fix shell restrictions for submodules Submodules have their git directory in the master repository's directory (../.git/modules/). firejail does not allow whitelisted paths to have ".." in them, so use realpath() to get rid of that. `git show` still wants to be able to access the main repository directory though, so we also need to whitelist the $repoDir itself. Bug: T181919 Change-Id: I928df92b47733bc7fbb9c796bcfc1504d4a4598c --- diff --git a/includes/GitInfo.php b/includes/GitInfo.php index f170a025f7..fb75c256d6 100644 --- a/includes/GitInfo.php +++ b/includes/GitInfo.php @@ -37,6 +37,11 @@ class GitInfo { */ protected $basedir; + /** + * Location of the repository + */ + protected $repoDir; + /** * Path to JSON cache file for pre-computed git information. */ @@ -58,6 +63,7 @@ class GitInfo { * @see precomputeValues */ public function __construct( $repoDir, $usePrecomputed = true ) { + $this->repoDir = $repoDir; $this->cacheFile = self::getCacheFilePath( $repoDir ); wfDebugLog( 'gitinfo', "Computed cacheFile={$this->cacheFile} for {$repoDir}" @@ -230,10 +236,11 @@ class GitInfo { '--format=format:%ct', 'HEAD', ]; + $gitDir = realpath( $this->basedir ); $result = Shell::command( $cmd ) - ->environment( [ 'GIT_DIR' => $this->basedir ] ) + ->environment( [ 'GIT_DIR' => $gitDir ] ) ->restrict( Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK ) - ->whitelistPaths( [ $this->basedir ] ) + ->whitelistPaths( [ $gitDir, $this->repoDir ] ) ->execute(); if ( $result->getExitCode() === 0 ) {