Merge branch 'jk/daemon-path-ok-check-truncation' into maint

"git daemon" used fixed-length buffers to turn URL to the
repository the client asked for into the server side directory
path, using snprintf() to avoid overflowing these buffers, but
allowed possibly truncated paths to the directory.  This has been
tightened to reject such a request that causes overlong path to be
required to serve.

* jk/daemon-path-ok-check-truncation:
  daemon: detect and reject too-long paths
This commit is contained in:
Junio C Hamano 2016-11-29 13:27:55 -08:00
commit aa22ef8a80

View File

@ -160,6 +160,7 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
{ {
static char rpath[PATH_MAX]; static char rpath[PATH_MAX];
static char interp_path[PATH_MAX]; static char interp_path[PATH_MAX];
size_t rlen;
const char *path; const char *path;
const char *dir; const char *dir;
@ -187,8 +188,12 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
namlen = slash - dir; namlen = slash - dir;
restlen -= namlen; restlen -= namlen;
loginfo("userpath <%s>, request <%s>, namlen %d, restlen %d, slash <%s>", user_path, dir, namlen, restlen, slash); loginfo("userpath <%s>, request <%s>, namlen %d, restlen %d, slash <%s>", user_path, dir, namlen, restlen, slash);
snprintf(rpath, PATH_MAX, "%.*s/%s%.*s", rlen = snprintf(rpath, sizeof(rpath), "%.*s/%s%.*s",
namlen, dir, user_path, restlen, slash); namlen, dir, user_path, restlen, slash);
if (rlen >= sizeof(rpath)) {
logerror("user-path too large: %s", rpath);
return NULL;
}
dir = rpath; dir = rpath;
} }
} }
@ -207,7 +212,15 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
strbuf_expand(&expanded_path, interpolated_path, strbuf_expand(&expanded_path, interpolated_path,
expand_path, &context); expand_path, &context);
strlcpy(interp_path, expanded_path.buf, PATH_MAX);
rlen = strlcpy(interp_path, expanded_path.buf,
sizeof(interp_path));
if (rlen >= sizeof(interp_path)) {
logerror("interpolated path too large: %s",
interp_path);
return NULL;
}
strbuf_release(&expanded_path); strbuf_release(&expanded_path);
loginfo("Interpolated dir '%s'", interp_path); loginfo("Interpolated dir '%s'", interp_path);
@ -219,7 +232,11 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
logerror("'%s': Non-absolute path denied (base-path active)", dir); logerror("'%s': Non-absolute path denied (base-path active)", dir);
return NULL; return NULL;
} }
snprintf(rpath, PATH_MAX, "%s%s", base_path, dir); rlen = snprintf(rpath, sizeof(rpath), "%s%s", base_path, dir);
if (rlen >= sizeof(rpath)) {
logerror("base-path too large: %s", rpath);
return NULL;
}
dir = rpath; dir = rpath;
} }