Paste number 80442: Unsafe repo creation

Index of paste annotations: 1 | 2 | 3

Paste number 80442: Unsafe repo creation
Pasted by: Ry4an
When:3 years, 2 days ago
Share:Tweet this! | http://paste.lisp.org/+1Q2I
Channel:#mercurial
Paste contents:
Raw Source | XML | Display As 
#!/bin/sh

echo -n -e "Content-Type: text/plain\n\n"

cd /my/repos/$PATH_INFO
hg init

Annotations for this paste:

Annotation number 1: Using
Pasted by: Ry4an
When:3 years, 2 days ago
Share:Tweet this! | http://paste.lisp.org/+1Q2I/1
Paste contents:
Raw Source | Display As 
ScriptAlias /unsafecreate /path/to/unsafecreate.cgi

Invoke as:

GET http://your-poorly-admined-host.com/unsafecrete/path/to/new/repo

Annotation number 2: More "nice" version of script
Pasted by: jtiai
When:3 years, 2 days ago
Share:Tweet this! | http://paste.lisp.org/+1Q2I/2
Paste contents:
Raw Source | Display As 
#!/bin/sh

# Note: depending on shell echo might need -n -e flags

REPO_ROOT=/path/to/repos
REPO_URL=http://myserver.example.com/hg

echo "Content-Type: text/html\n\n"

REPO_PATH=$REPO_ROOT/$PATH_INFO
if [ -f $REPO_PATH ]; then
 echo "File $PATH_INFO already exists!"
 exit;
fi;

if [ -d $REPO_PATH ]; then
 echo "Directory $PATH_INFO already exists!"
 exit;
fi;

mkdir -p $REPO_PATH
cd $REPO_PATH
hg init
HGRC=$REPO_PATH/.hg/hgrc

echo "[web]\ndescription = Automatically created $PATH_INFO\nallow_push = *\n" $

echo "Repository <a href=\"$REPO_URL$PATH_INFO\">$PATH_INFO</a> created!"

Annotation number 3: Nice script
Pasted by: Ry4an
When:3 years, 2 days ago
Share:Tweet this! | http://paste.lisp.org/+1Q2I/3
Paste contents:
Raw Source | Display As 
Looks great, but do keep in mind that these will be dangerous:

GET /script/../../muhahaha

GET /script/%3Brm%20-rf%20

Colorize as:
Show Line Numbers
Index of paste annotations: 1 | 2 | 3

Lisppaste pastes can be made by anyone at any time. Imagine a fearsomely comprehensive disclaimer of liability. Now fear, comprehensively.