ambiser
/
btrbk
mirror of https://github.com/digint/btrbk
9
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ssh_filter_btrbk.sh: use single quotes where possible 

In strings that don’t contain `'` nor do any expansions, use single quotes to
avoid any future unintended expansions or escapes.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
improve-ssh_filter_btrbk.sh
Christoph Anton Mitterer 2022-11-15 19:49:30 +01:00 committed by Axel Burri
parent f107507876
commit 7e7783b201
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ssh_filter_btrbk.sh
View File

@ -3,7 +3,7 @@
set -e set -e
set -u set -u
export PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH='/sbin:/bin:/usr/sbin:/usr/bin'
enable_log= enable_log=
restrict_path_list= restrict_path_list=
@ -12,7 +12,7 @@ allow_exact_list=
allow_rate_limit=1 allow_rate_limit=1
allow_stream_buffer=1 allow_stream_buffer=1
allow_compress=1 allow_compress=1
compress_list="gzip|pigz|bzip2|pbzip2|bzip3|xz|lzop|lz4|zstd" compress_list='gzip|pigz|bzip2|pbzip2|bzip3|xz|lzop|lz4|zstd'
# note that the backslash is NOT a metacharacter in a POSIX bracket expression! # note that the backslash is NOT a metacharacter in a POSIX bracket expression!
option_match='-[a-zA-Z0-9=-]+' # matches short as well as long options option_match='-[a-zA-Z0-9=-]+' # matches short as well as long options
@ -40,14 +40,14 @@ allow_exact_cmd()
reject_and_die() reject_and_die()
{ {
local reason=$1 local reason=$1
log_cmd "auth.err" "btrbk REJECT" "$reason" log_cmd 'auth.err' 'btrbk REJECT' "$reason"
echo "ERROR: ssh_filter_btrbk.sh: ssh command rejected: $reason: $SSH_ORIGINAL_COMMAND" 1>&2 echo "ERROR: ssh_filter_btrbk.sh: ssh command rejected: $reason: $SSH_ORIGINAL_COMMAND" 1>&2
exit 255 exit 255
} }
run_cmd() run_cmd()
{ {
log_cmd "auth.info" "btrbk ACCEPT" log_cmd 'auth.info' 'btrbk ACCEPT'
eval " $SSH_ORIGINAL_COMMAND" eval " $SSH_ORIGINAL_COMMAND"
} }
@ -77,7 +77,7 @@ reject_filtered_cmd()
# rate_limit_remote and stream_buffer_remote use combined # rate_limit_remote and stream_buffer_remote use combined
# "mbuffer" as of btrbk-0.29.0 # "mbuffer" as of btrbk-0.29.0
if [[ -n "$allow_stream_buffer" ]] || [[ -n "$allow_rate_limit" ]]; then if [[ -n "$allow_stream_buffer" ]] || [[ -n "$allow_rate_limit" ]]; then
mbuffer_match="mbuffer -v 1 -q( -s [0-9]+[kmgKMG]?)?( -m [0-9]+[kmgKMG]?)?( -[rR] [0-9]+[kmgtKMGT]?)?" mbuffer_match='mbuffer -v 1 -q( -s [0-9]+[kmgKMG]?)?( -m [0-9]+[kmgKMG]?)?( -[rR] [0-9]+[kmgtKMGT]?)?'
else else
mbuffer_match= mbuffer_match=
fi fi
@ -104,8 +104,8 @@ reject_filtered_cmd()
# check for "--sudo" option before processing other options # check for "--sudo" option before processing other options
sudo_prefix= sudo_prefix=
for key; do for key; do
[[ "$key" == "--sudo" ]] && sudo_prefix="sudo -n " [[ "$key" == '--sudo' ]] && sudo_prefix='sudo -n '
[[ "$key" == "--doas" ]] && sudo_prefix="doas -n " [[ "$key" == '--doas' ]] && sudo_prefix='doas -n '
done done
while [[ "$#" -ge 1 ]]; do while [[ "$#" -ge 1 ]]; do
@ -173,8 +173,8 @@ done
allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* ${file_arg_match}"; allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* ${file_arg_match}";
allow_cmd "${sudo_prefix}readlink" # resolve symlink allow_cmd "${sudo_prefix}readlink" # resolve symlink
allow_exact_cmd "${sudo_prefix}test -d ${file_arg_match}" # check directory (only for compat=busybox) allow_exact_cmd "${sudo_prefix}test -d ${file_arg_match}" # check directory (only for compat=busybox)
allow_exact_cmd "cat /proc/self/mountinfo" # resolve mountpoints allow_exact_cmd 'cat /proc/self/mountinfo' # resolve mountpoints
allow_exact_cmd "cat /proc/self/mounts" # legacy, for btrbk < 0.27.0 allow_exact_cmd 'cat /proc/self/mounts' # legacy, for btrbk < 0.27.0
# remove leading "|" on alternation lists # remove leading "|" on alternation lists
allow_list=${allow_list#\|} allow_list=${allow_list#\|}