git-daemon support for user-relative paths.

Dropped a fair amount of reundant code in favour of the library code
in path.c

Added option --strict-paths with documentation, with backwards
compatibility for whitelist entries with symlinks.

Everything that worked earlier still works insofar as I have
remembered testing it.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
This commit is contained in:
Andreas Ericsson 2005-11-17 20:37:14 +01:00 committed by Junio C Hamano
parent aa7f412abf
commit 4dbd135279
3 changed files with 72 additions and 87 deletions

View File

@ -29,9 +29,15 @@ This is ideally suited for read-only updates, ie pulling from git repositories.
OPTIONS
-------
+--strict-paths::
Match paths exactly (i.e. don't allow "/foo/repo" when the real path is
"/foo/repo.git" or "/foo/repo/.git") and don't do user-relative paths.
git-daemon will refuse to start when this option is enabled and no
whitelist is specified.
--export-all::
Allow pulling from all directories that look like GIT repositories
(have the 'objects' subdirectory and a 'HEAD' file), even if they
(have the 'objects' and 'refs' subdirectories), even if they
do not have the 'git-daemon-export-ok' file.
--inetd::
@ -57,9 +63,15 @@ OPTIONS
--verbose::
Log details about the incoming connections and requested files.
<directory>::
A directory to add to the whitelist of allowed directories. Unless
--strict-paths is specified this will also include subdirectories
of each named directory.
Author
------
Written by Linus Torvalds <torvalds@osdl.org> and YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Written by Linus Torvalds <torvalds@osdl.org>, YOSHIFUJI Hideaki
<yoshfuji@linux-ipv6.org> and the git-list <git@vger.kernel.org>
Documentation
--------------

View File

@ -9,15 +9,16 @@
- http://host.xz/path/to/repo.git/
- https://host.xz/path/to/repo.git/
- git://host.xz/path/to/repo.git/
- git://host.xz/~user/path/to/repo.git/
- ssh://host.xz/path/to/repo.git/
- ssh://host.xz/~user/path/to/repo.git/
- ssh://host.xz/~/path/to/repo.git
===============================================================
+
SSH Is the default transport protocol and also supports an
scp-like syntax. Both syntaxes support username expansion.
The following three are identical to the last three above,
respectively:
scp-like syntax. Both syntaxes support username expansion,
as does the native git protocol. The following three are
identical to the last three above, respectively:
+
===============================================================
- host.xz:/path/to/repo.git/

136
daemon.c
View File

@ -15,10 +15,11 @@ static int verbose;
static const char daemon_usage[] =
"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n"
" [--timeout=n] [--init-timeout=n] [directory...]";
" [--timeout=n] [--init-timeout=n] [--strict-paths] [directory...]";
/* List of acceptable pathname prefixes */
static char **ok_paths = NULL;
static int strict_paths = 0;
/* If this is set, git-daemon-export-ok is not required */
static int export_all_trees = 0;
@ -81,69 +82,56 @@ static void loginfo(const char *err, ...)
va_end(params);
}
static int path_ok(const char *dir)
static char *path_ok(char *dir)
{
const char *p = dir;
char **pp;
int sl, ndot;
char *path = enter_repo(dir, strict_paths);
/* The pathname here should be an absolute path. */
if ( *p++ != '/' )
return 0;
sl = 1; ndot = 0;
for (;;) {
if ( *p == '.' ) {
ndot++;
} else if ( *p == '\0' ) {
/* Reject "." and ".." at the end of the path */
if ( sl && ndot > 0 && ndot < 3 )
return 0;
/* Otherwise OK */
break;
} else if ( *p == '/' ) {
/* Refuse "", "." or ".." */
if ( sl && ndot < 3 )
return 0;
sl = 1;
ndot = 0;
} else {
sl = ndot = 0;
}
p++;
if (!path) {
logerror("'%s': unable to chdir or not a git archive", dir);
return NULL;
}
if ( ok_paths && *ok_paths ) {
int ok = 0;
char **pp = NULL;
int dirlen = strlen(dir);
int pathlen = strlen(path);
for ( pp = ok_paths ; *pp ; pp++ ) {
int len = strlen(*pp);
if ( len <= dirlen &&
!strncmp(*pp, dir, len) &&
(dir[len] == '/' || dir[len] == '\0') ) {
ok = 1;
break;
/* because of symlinks we must match both what the
* user passed and the canonicalized path, otherwise
* the user can send a string matching either a whitelist
* entry or an actual directory exactly and still not
* get through */
if (len <= pathlen && !memcmp(*pp, path, len)) {
if (path[len] == '\0' || (!strict_paths && path[len] == '/'))
return path;
}
if (len <= dirlen && !memcmp(*pp, dir, len)) {
if (dir[len] == '\0' || (!strict_paths && dir[len] == '/'))
return path;
}
}
if ( !ok )
return 0; /* Path not in whitelist */
}
else {
/* be backwards compatible */
if (!strict_paths)
return path;
}
return 1; /* Path acceptable */
logerror("'%s': not in whitelist", path);
return NULL; /* Fallthrough. Deny by default */
}
static int set_dir(const char *dir)
static int upload(char *dir)
{
if (!path_ok(dir)) {
errno = EACCES;
return -1;
}
/* Timeout as string */
char timeout_buf[64];
const char *path;
if ( chdir(dir) )
loginfo("Request for '%s'", dir);
if (!(path = path_ok(dir)))
return -1;
/*
@ -152,45 +140,17 @@ static int set_dir(const char *dir)
* We want a readable HEAD, usable "objects" directory, and
* a "git-daemon-export-ok" flag that says that the other side
* is ok with us doing this.
*
* path_ok() uses enter_repo() and does whitelist checking.
* We only need to make sure the repository is exported.
*/
if (!export_all_trees && access("git-daemon-export-ok", F_OK)) {
logerror("'%s': repository not exported.", path);
errno = EACCES;
return -1;
}
if (access("objects/", X_OK) || access("HEAD", R_OK)) {
errno = EINVAL;
return -1;
}
/* If all this passed, we're OK */
return 0;
}
static int upload(char *dir)
{
/* Try paths in this order */
static const char *paths[] = { "%s", "%s/.git", "%s.git", "%s.git/.git", NULL };
const char **pp;
/* Enough for the longest path above including final null */
int buflen = strlen(dir)+10;
char *dirbuf = xmalloc(buflen);
/* Timeout as string */
char timeout_buf[64];
loginfo("Request for '%s'", dir);
for ( pp = paths ; *pp ; pp++ ) {
snprintf(dirbuf, buflen, *pp, dir);
if ( !set_dir(dirbuf) )
break;
}
if ( !*pp ) {
logerror("Cannot set directory '%s': %s", dir, strerror(errno));
return -1;
}
/*
* We'll ignore SIGTERM from now on, we have a
* good client.
@ -200,7 +160,7 @@ static int upload(char *dir)
snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout);
/* git-upload-pack only ever reads stuff, so this is safe */
execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL);
execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, path, NULL);
return -1;
}
@ -216,7 +176,7 @@ static int execute(void)
if (len && line[len-1] == '\n')
line[--len] = 0;
if (!strncmp("git-upload-pack /", line, 17))
if (!strncmp("git-upload-pack ", line, 16))
return upload(line+16);
logerror("Protocol error: '%s'", line);
@ -617,6 +577,10 @@ int main(int argc, char **argv)
init_timeout = atoi(arg+15);
continue;
}
if (!strcmp(arg, "--strict-paths")) {
strict_paths = 1;
continue;
}
if (!strcmp(arg, "--")) {
ok_paths = &argv[i+1];
break;
@ -631,6 +595,14 @@ int main(int argc, char **argv)
if (log_syslog)
openlog("git-daemon", 0, LOG_DAEMON);
if (strict_paths && (!ok_paths || !*ok_paths)) {
if (!inetd_mode)
die("git-daemon: option --strict-paths requires a whitelist");
logerror("option --strict-paths requires a whitelist");
exit (1);
}
if (inetd_mode) {
fclose(stderr); //FIXME: workaround
return execute();