|
 |
6526e6 |
From 3ec804490a265f4c418a321428c12f3f18b7eff5 Mon Sep 17 00:00:00 2001
|
|
|
6526e6 |
From: Jeff King <peff@peff.net>
|
|
|
6526e6 |
Date: Sat, 29 Apr 2017 08:36:44 -0400
|
|
|
6526e6 |
Subject: [PATCH] shell: disallow repo names beginning with dash
|
|
|
6526e6 |
|
|
|
6526e6 |
When a remote server uses git-shell, the client side will
|
|
|
6526e6 |
connect to it like:
|
|
|
6526e6 |
|
|
|
6526e6 |
ssh server "git-upload-pack 'foo.git'"
|
|
|
6526e6 |
|
|
|
6526e6 |
and we literally exec ("git-upload-pack", "foo.git"). In
|
|
|
6526e6 |
early versions of upload-pack and receive-pack, we took a
|
|
|
6526e6 |
repository argument and nothing else. But over time they
|
|
|
6526e6 |
learned to accept dashed options. If the user passes a
|
|
|
6526e6 |
repository name that starts with a dash, the results are
|
|
|
6526e6 |
confusing at best (we complain of a bogus option instead of
|
|
|
6526e6 |
a non-existent repository) and malicious at worst (the user
|
|
|
6526e6 |
can start an interactive pager via "--help").
|
|
|
6526e6 |
|
|
|
6526e6 |
We could pass "--" to the sub-process to make sure the
|
|
|
6526e6 |
user's argument is interpreted as a branch name. I.e.:
|
|
|
6526e6 |
|
|
|
6526e6 |
git-upload-pack -- -foo.git
|
|
|
6526e6 |
|
|
|
6526e6 |
But adding "--" automatically would make us inconsistent
|
|
|
6526e6 |
with a normal shell (i.e., when git-shell is not in use),
|
|
|
6526e6 |
where "-foo.git" would still be an error. For that case, the
|
|
|
6526e6 |
client would have to specify the "--", but they can't do so
|
|
|
6526e6 |
reliably, as existing versions of git-shell do not allow
|
|
|
6526e6 |
more than a single argument.
|
|
|
6526e6 |
|
|
|
6526e6 |
The simplest thing is to simply disallow "-" at the start of
|
|
|
6526e6 |
the repo name argument. This hasn't worked either with or
|
|
|
6526e6 |
without git-shell since version 1.0.0, and nobody has
|
|
|
6526e6 |
complained.
|
|
|
6526e6 |
|
|
|
6526e6 |
Note that this patch just applies to do_generic_cmd(), which
|
|
|
6526e6 |
runs upload-pack, receive-pack, and upload-archive. There
|
|
|
6526e6 |
are two other types of commands that git-shell runs:
|
|
|
6526e6 |
|
|
|
6526e6 |
- do_cvs_cmd(), but this already restricts the argument to
|
|
|
6526e6 |
be the literal string "server"
|
|
|
6526e6 |
|
|
|
6526e6 |
- admin-provided commands in the git-shell-commands
|
|
|
6526e6 |
directory. We'll pass along arbitrary arguments there,
|
|
|
6526e6 |
so these commands could have similar problems. But these
|
|
|
6526e6 |
commands might actually understand dashed arguments, so
|
|
|
6526e6 |
we cannot just block them here. It's up to the writer of
|
|
|
6526e6 |
the commands to make sure they are safe. With great
|
|
|
6526e6 |
power comes great responsibility.
|
|
|
6526e6 |
|
|
|
6526e6 |
Reported-by: Timo Schmid <tschmid@ernw.de>
|
|
|
6526e6 |
Signed-off-by: Jeff King <peff@peff.net>
|
|
|
6526e6 |
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
|
6526e6 |
---
|
|
|
6526e6 |
shell.c | 2 +-
|
|
|
6526e6 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
6526e6 |
|
|
|
6526e6 |
diff --git a/shell.c b/shell.c
|
|
|
6526e6 |
index ace62e4..c3bf8ec 100644
|
|
|
6526e6 |
--- a/shell.c
|
|
|
6526e6 |
+++ b/shell.c
|
|
|
6526e6 |
@@ -13,7 +13,7 @@ static int do_generic_cmd(const char *me, char *arg)
|
|
|
6526e6 |
const char *my_argv[4];
|
|
|
6526e6 |
|
|
|
6526e6 |
setup_path();
|
|
|
6526e6 |
- if (!arg || !(arg = sq_dequote(arg)))
|
|
|
6526e6 |
+ if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
|
|
|
6526e6 |
die("bad argument");
|
|
|
6526e6 |
if (!starts_with(me, "git-"))
|
|
|
6526e6 |
die("bad command");
|
|
|
6526e6 |
--
|
|
|
6526e6 |
2.9.4
|
|
|
6526e6 |
|