mirror of
https://we.phorge.it/source/arcanist.git
synced 2024-11-22 06:42:41 +01:00
Verify that ~/.arcrc is 600 before reading from it
Summary: Since this has auth information in it now, we should prevent other users on the system from reading it. Detect readable files and prompt the user to fix them. Test Plan: Did "o+r" on my ~/.arcrc, ran "arc list", got prompted, hit "Y", verified it set perms to 600, ran "arc list" again and wasn't prompted. Reviewed By: jungejason Reviewers: fratrik, jungejason, aran, tuomaspelkonen CC: aran, jungejason, epriestley Differential Revision: 532
This commit is contained in:
parent
18e34d06bc
commit
182e260472
1 changed files with 14 additions and 0 deletions
|
@ -645,6 +645,20 @@ class ArcanistBaseWorkflow {
|
|||
$user_config = array();
|
||||
$user_config_path = self::getUserConfigurationFileLocation();
|
||||
if (Filesystem::pathExists($user_config_path)) {
|
||||
$mode = fileperms($user_config_path);
|
||||
if (!$mode) {
|
||||
throw new Exception("Unable to get perms of '{$user_config_path}'!");
|
||||
}
|
||||
if ($mode & 0177) {
|
||||
// Mode should allow only owner access.
|
||||
$prompt = "File permissions on your ~/.arcrc are too open. ".
|
||||
"Fix them by chmod'ing to 600?";
|
||||
if (!phutil_console_confirm($prompt, $default_no = false)) {
|
||||
throw new ArcanistUsageException("Set ~/.arcrc to file mode 600.");
|
||||
}
|
||||
execx('chmod 600 %s', $user_config_path);
|
||||
}
|
||||
|
||||
$user_config_data = Filesystem::readFile($user_config_path);
|
||||
$user_config = json_decode($user_config_data, true);
|
||||
if (!is_array($user_config)) {
|
||||
|
|
Loading…
Reference in a new issue