1
0
Fork 0
mirror of https://we.phorge.it/source/arcanist.git synced 2024-11-10 08:52:39 +01:00

Verify that ~/.arcrc is 600 before reading from it

Summary:
Since this has auth information in it now, we should prevent other users on the
system from reading it. Detect readable files and prompt the user to fix them.

Test Plan:
Did "o+r" on my ~/.arcrc, ran "arc list", got prompted, hit "Y", verified it set
perms to 600, ran "arc list" again and wasn't prompted.

Reviewed By: jungejason
Reviewers: fratrik, jungejason, aran, tuomaspelkonen
CC: aran, jungejason, epriestley
Differential Revision: 532
This commit is contained in:
epriestley 2011-06-26 11:09:13 -07:00
parent 18e34d06bc
commit 182e260472

View file

@ -645,6 +645,20 @@ class ArcanistBaseWorkflow {
$user_config = array(); $user_config = array();
$user_config_path = self::getUserConfigurationFileLocation(); $user_config_path = self::getUserConfigurationFileLocation();
if (Filesystem::pathExists($user_config_path)) { if (Filesystem::pathExists($user_config_path)) {
$mode = fileperms($user_config_path);
if (!$mode) {
throw new Exception("Unable to get perms of '{$user_config_path}'!");
}
if ($mode & 0177) {
// Mode should allow only owner access.
$prompt = "File permissions on your ~/.arcrc are too open. ".
"Fix them by chmod'ing to 600?";
if (!phutil_console_confirm($prompt, $default_no = false)) {
throw new ArcanistUsageException("Set ~/.arcrc to file mode 600.");
}
execx('chmod 600 %s', $user_config_path);
}
$user_config_data = Filesystem::readFile($user_config_path); $user_config_data = Filesystem::readFile($user_config_path);
$user_config = json_decode($user_config_data, true); $user_config = json_decode($user_config_data, true);
if (!is_array($user_config)) { if (!is_array($user_config)) {