From 52df4ff515b7d6ccb361846f971d47f4edbe9d04 Mon Sep 17 00:00:00 2001 From: epriestley Date: Wed, 20 Apr 2022 09:29:51 -0700 Subject: [PATCH] Fix an issue where "git" may be unable to read a temporary file in Diffusion Summary: Ref T13673. After the changes in that task, we may execute "git config -l ..." as a user other than the user we used to write this temporary file. Use "--file -" to pass the data instead, avoiding use of temporary files. This makes us agnostic to filesystem permissions. Test Plan: Viewed a Git repository with submodules in Diffusion with "ssh.user" configured as a user relatively isolated from the webserver user. Maniphest Tasks: T13673 Differential Revision: https://secure.phabricator.com/D21759 --- .../DiffusionBrowseQueryConduitAPIMethod.php | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/applications/diffusion/conduit/DiffusionBrowseQueryConduitAPIMethod.php b/src/applications/diffusion/conduit/DiffusionBrowseQueryConduitAPIMethod.php index deda3d43d7..86ec7b7466 100644 --- a/src/applications/diffusion/conduit/DiffusionBrowseQueryConduitAPIMethod.php +++ b/src/applications/diffusion/conduit/DiffusionBrowseQueryConduitAPIMethod.php @@ -229,11 +229,19 @@ final class DiffusionBrowseQueryConduitAPIMethod $commit); if (!$err) { - $tmp = new TempFile(); - Filesystem::writeFile($tmp, $contents); - list($module_info) = $repository->execxLocalCommand( - 'config -l -f %s', - $tmp); + + // NOTE: After T13673, the user executing "git" may not be the same + // as the user this process is running as (usually the webserver user), + // so we can't reliably use a temporary file: the daemon user may not + // be able to use it. + + // Use "--file -" to read from stdin instead. If this fails in some + // older versions of Git, we could exempt this particular command from + // sudoing to the daemon user. + + $future = $repository->getLocalCommandFuture('config -l --file - --'); + $future->write($contents); + list($module_info) = $future->resolvex(); $dict = array(); $lines = explode("\n", trim($module_info));