undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not DWIM in userpath library under strict mode.

Browse Source 
This should force git-daemon administrator's job a bit harder
because the exact paths need to be given in the whitelist, but
at the same time makes the auditing easier.

This moves validate_symref() from refs.c to path.c, because we
need to link path.c with git-daemon for its "enter_repo()", but
we do not want to link the daemon with the rest of git libraries
and its requirements.

Signed-off-by: Junio C Hamano <junkio@cox.net>
This commit is contained in:
Junio C Hamano 2005-11-18 14:59:34 -08:00
parent 54f4b87454
commit 0870ca7fab
2 changed files with 60 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
path.c
View File

@ -91,20 +91,55 @@ char *safe_strncpy(char *dest, const char *src, size_t n)
return dest; return dest;
} }
int validate_symref(const char *path)
{
struct stat st;
char *buf, buffer[256];
int len, fd;
if (lstat(path, &st) < 0)
return -1;
/* Make sure it is a "refs/.." symlink */
if (S_ISLNK(st.st_mode)) {
len = readlink(path, buffer, sizeof(buffer)-1);
if (len >= 5 && !memcmp("refs/", buffer, 5))
return 0;
return -1;
}
/*
* Anything else, just open it and try to see if it is a symbolic ref.
*/
fd = open(path, O_RDONLY);
if (fd < 0)
return -1;
len = read(fd, buffer, sizeof(buffer)-1);
close(fd);
/*
* Is it a symbolic ref?
*/
if (len < 4 || memcmp("ref:", buffer, 4))
return -1;
buf = buffer + 4;
len -= 4;
while (len && isspace(*buf))
buf++, len--;
if (len >= 5 && !memcmp("refs/", buf, 5))
return 0;
return -1;
}
static char *current_dir() static char *current_dir()
{ {
return getcwd(pathname, sizeof(pathname)); return getcwd(pathname, sizeof(pathname));
} }
/* Take a raw path from is_git_repo() and canonicalize it using Linus' static int user_chdir(char *path)
* idea of a blind chdir() and getcwd(). */
static const char *canonical_path(char *path, int strict)
{ {
char *dir = path; char *dir = path;
if(strict && *dir != '/')
return NULL;
if(*dir == '~') { /* user-relative path */ if(*dir == '~') { /* user-relative path */
struct passwd *pw; struct passwd *pw;
char *slash = strchr(dir, '/'); char *slash = strchr(dir, '/');
@ -125,19 +160,19 @@ static const char *canonical_path(char *path, int strict)
/* make sure we got something back that we can chdir() to */ /* make sure we got something back that we can chdir() to */
if(!pw || chdir(pw->pw_dir) < 0) if(!pw || chdir(pw->pw_dir) < 0)
return NULL; return -1;
if(!slash || !slash[1]) /* no path following username */ if(!slash || !slash[1]) /* no path following username */
return current_dir(); return 0;
dir = slash + 1; dir = slash + 1;
} }
/* ~foo/path/to/repo is now path/to/repo and we're in foo's homedir */ /* ~foo/path/to/repo is now path/to/repo and we're in foo's homedir */
if(chdir(dir) < 0) if(chdir(dir) < 0)
return NULL; return -1;
return current_dir(); return 0;
} }
char *enter_repo(char *path, int strict) char *enter_repo(char *path, int strict)
@ -145,16 +180,24 @@ char *enter_repo(char *path, int strict)
if(!path) if(!path)
return NULL; return NULL;
if(!canonical_path(path, strict)) { if (strict) {
if(strict || !canonical_path(mkpath("%s.git", path), strict)) if((path[0] != '/') || chdir(path) < 0)
return NULL; return NULL;
} }
else {
if (!*path)
; /* happy -- no chdir */
else if (!user_chdir(path))
; /* happy -- as given */
else if (!user_chdir(mkpath("%s.git", path)))
; /* happy -- uemacs --> uemacs.git */
else
return NULL;
(void)chdir(".git");
}
/* This is perfectly safe, and people tend to think of the directory if(access("objects", X_OK) == 0 && access("refs", X_OK) == 0 &&
* where they ran git-init-db as their repository, so humour them. */ validate_symref("HEAD") == 0) {
(void)chdir(".git");
if(access("objects", X_OK) == 0 && access("refs", X_OK) == 0) {
putenv("GIT_DIR=."); putenv("GIT_DIR=.");
return current_dir(); return current_dir();
} }

40
refs.c
View File

@ -10,46 +10,6 @@
#define USE_SYMLINK_HEAD 1 #define USE_SYMLINK_HEAD 1
#endif #endif
int validate_symref(const char *path)
{
struct stat st;
char *buf, buffer[256];
int len, fd;
if (lstat(path, &st) < 0)
return -1;
/* Make sure it is a "refs/.." symlink */
if (S_ISLNK(st.st_mode)) {
len = readlink(path, buffer, sizeof(buffer)-1);
if (len >= 5 && !memcmp("refs/", buffer, 5))
return 0;
return -1;
}
/*
* Anything else, just open it and try to see if it is a symbolic ref.
*/
fd = open(path, O_RDONLY);
if (fd < 0)
return -1;
len = read(fd, buffer, sizeof(buffer)-1);
close(fd);
/*
* Is it a symbolic ref?
*/
if (len < 4 || memcmp("ref:", buffer, 4))
return -1;
buf = buffer + 4;
len -= 4;
while (len && isspace(*buf))
buf++, len--;
if (len >= 5 && !memcmp("refs/", buf, 5))
return 0;
return -1;
}
const char *resolve_ref(const char *path, unsigned char *sha1, int reading) const char *resolve_ref(const char *path, unsigned char *sha1, int reading)
{ {
int depth = MAXDEPTH, len; int depth = MAXDEPTH, len;