shell: drop git-cvsserver support by default

The git-cvsserver script is old and largely unmaintained
these days. But git-shell allows untrusted users to run it
out of the box, significantly increasing its attack surface.

Let's drop it from git-shell's list of internal handlers so
that it cannot be run by default.  This is not backwards
compatible. But given the age and development activity on
CVS-related parts of Git, this is likely to impact very few
users, while helping many more (i.e., anybody who runs
git-shell and had no intention of supporting CVS).

There's no configuration mechanism in git-shell for us to
add a boolean and flip it to "off". But there is a mechanism
for adding custom commands, and adding CVS support here is
fairly trivial. Let's document it to give guidance to
anybody who really is still running cvsserver.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Jeff King 2017-09-11 11:27:51 -04:00 committed by Junio C Hamano
parent 4d4165b80d
commit 9a42c03cb7
3 changed files with 64 additions and 14 deletions

View File

@ -79,6 +79,22 @@ EOF
$ chmod +x $HOME/git-shell-commands/no-interactive-login
----------------
To enable git-cvsserver access (which should generally have the
`no-interactive-login` example above as a prerequisite, as creating
the git-shell-commands directory allows interactive logins):
----------------
$ cat >$HOME/git-shell-commands/cvs <<\EOF
if ! test $# = 1 && test "$1" = "server"
then
echo >&2 "git-cvsserver only handles \"server\""
exit 1
fi
exec git cvsserver server
EOF
$ chmod +x $HOME/git-shell-commands/cvs
----------------
SEE ALSO
--------
ssh(1),

14
shell.c
View File

@ -25,19 +25,6 @@ static int do_generic_cmd(const char *me, char *arg)
return execv_git_cmd(my_argv);
}
static int do_cvs_cmd(const char *me, char *arg)
{
const char *cvsserver_argv[3] = {
"cvsserver", "server", NULL
};
if (!arg || strcmp(arg, "server"))
die("git-cvsserver only handles server: %s", arg);
setup_path();
return execv_git_cmd(cvsserver_argv);
}
static int is_valid_cmd_name(const char *cmd)
{
/* Test command contains no . or / characters */
@ -134,7 +121,6 @@ static struct commands {
{ "git-receive-pack", do_generic_cmd },
{ "git-upload-pack", do_generic_cmd },
{ "git-upload-archive", do_generic_cmd },
{ "cvs", do_cvs_cmd },
{ NULL },
};

View File

@ -588,4 +588,52 @@ test_expect_success 'cvs annotate' '
test_cmp ../expect ../actual
'
#------------
# running via git-shell
#------------
cd "$WORKDIR"
test_expect_success 'create remote-cvs helper' '
write_script remote-cvs <<-\EOF
exec git shell -c "cvs server"
EOF
'
test_expect_success 'cvs server does not run with vanilla git-shell' '
(
cd cvswork &&
CVS_SERVER=$WORKDIR/remote-cvs &&
export CVS_SERVER &&
test_must_fail cvs log merge
)
'
test_expect_success 'configure git shell to run cvs server' '
mkdir "$HOME"/git-shell-commands &&
write_script "$HOME"/git-shell-commands/cvs <<-\EOF &&
if ! test $# = 1 && test "$1" = "server"
then
echo >&2 "git-cvsserver only handles \"server\""
exit 1
fi
exec git cvsserver server
EOF
# Should not be used, but part of the recommended setup
write_script "$HOME"/git-shell-commands/no-interactive-login <<-\EOF
echo Interactive login forbidden
EOF
'
test_expect_success 'cvs server can run with recommended config' '
(
cd cvswork &&
CVS_SERVER=$WORKDIR/remote-cvs &&
export CVS_SERVER &&
cvs log merge
)
'
test_done