[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] popen replacement
From: |
William Uther |
Subject: |
[Monotone-devel] popen replacement |
Date: |
Sun, 18 Feb 2007 20:44:04 +1100 |
Hi all,
A while ago I came across the fact that popen was disabled in the
Lua hooks in monotone for security reasons. Here is a patch that
replaces it with a security conscious version (like spawn() replaces
execute()). The 'security consciousness' is simply accepting the
command as an array of arguments rather than a single string to be
parsed by the shell.
Returning a FILE* from C functions in Lua is tricky (there is a
Lua FAQ on just this). This wasn't working for a while, then it was,
and I don't understand what changed. If someone wants to look at
that, I wouldn't mind. It would be good if people could test it on a
bunch of different systems too...
I've only implemented this on Unix. I have no windows knowledge
or ability to test.
I'm assuming that attaching a patch to an email to the list is the
correct way to submit this. Let me know if there is something else I
should do.
spawn_pipe.patch
Description: Binary data
BTW, I'm using this on MacOS X to store my password securely in the
system keychain. In particular, I have this in my monotonerc:
function get_passphrase(keypair_id)
procfin, procfout, pid = spawn_pipe("getPassword", "monotoneKey")
procfin:close()
pass, errstr = procfout:read()
procfout:close()
if (pid ~= -1) then ret, pid = wait(pid) end
return pass
end
Where getPassword is the following shell script:
/usr/bin/security find-generic-password -ga $1 2>&1 > /dev/null | /sw/
bin/sed -r -e 's/password: \"(.*)\"/\1/'
You set the password by launching "Keychain Access" from the
Utilities folder and click on the little + at the bottom of the
window. The Account Name is "monotoneKey", and the password is the
password. :)
Cheers,
Will :-}
- [Monotone-devel] popen replacement,
William Uther <=