From 40077107f4ec82f78d2f1456343f90339a10e73f Mon Sep 17 00:00:00 2001
From: Joe Rayhawk <jrayhawk@baldrick.omgwallhack.org>
Date: Sun, 3 Oct 2021 19:59:21 -0700
Subject: Piny::Repo: Fix hook security checks.

---
 libpiny/lib/Piny/Repo.pm | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'libpiny/lib')

diff --git a/libpiny/lib/Piny/Repo.pm b/libpiny/lib/Piny/Repo.pm
index 6e546d5..c4ec47a 100644
--- a/libpiny/lib/Piny/Repo.pm
+++ b/libpiny/lib/Piny/Repo.pm
@@ -328,17 +328,17 @@ sub rebuild_git {
   # FIXME: most of these are probably unnecessary to check due to limitations of bare repositories.
   foreach( "applypatch-msg", "pre-applypatch", "post-applypatch", "pre-commit", "prepare-commit-msg", "commit-msg", "post-commit", "pre-rebase", "post-checkout", "post-merge", "pre-push", "pre-receive", "update", "post-receive", "post-update", "push-to-checkout", "pre-auto-gc", "post-rewrite", "sendemail-validate", "fsmonitor-watchman" ) {
     my $link = $s->path . "/hooks/" . $_;
-    while ( -s $link ) {
+    while ( -l $link ) {
       $link = readlink( $link );
     };
     my ( $dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks ) = stat( $link ) or next;
     my $name  = getpwuid( $uid ) or die "Unable to find name  for uid" . $uid . "for hook " . $s->path . "/hooks/" . $_ . "\n";
     my $group = getgrgid( $gid ) or die "Unable to find group for gid" . $gid . "for hook " . $s->path . "/hooks/" . $_ . "\n";
-    unless ( $name =~ /^(root|iki-$s->shortname)/ ) {
-      warn( "Security warning: $link is not owned by user root or iki-$s->shortname!\n" );
+    unless ( $name =~ /^(root|iki-$s->{shortname})/ ) {
+      warn( "Security warning: $link is not owned by user root or iki-$s->{shortname}!\n" );
     };
-    unless ( $group =~ /^(root|iki-$s->shortname|git-$s->shortname)$/ ) {
-      warn( "Security warning: $link is not owned by group root, iki-$s->shortname, or git-$s->shortname!\n" );
+    unless ( $group =~ /^(root|iki-$s->{shortname}|git-$s->{shortname})$/ ) {
+      warn( "Security warning: $link is not owned by group root, iki-$s->{shortname}, or git-$s->{shortname}!\n" );
     };
   };
 
-- 
cgit v1.2.3