shell.con commit log: fix -L bounds checking bug (63828b8)
   1#include "cache.h"
   2#include "quote.h"
   3#include "exec_cmd.h"
   4#include "strbuf.h"
   5#include "run-command.h"
   6
   7#define COMMAND_DIR "git-shell-commands"
   8#define HELP_COMMAND COMMAND_DIR "/help"
   9#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"
  10
  11static int do_generic_cmd(const char *me, char *arg)
  12{
  13        const char *my_argv[4];
  14
  15        setup_path();
  16        if (!arg || !(arg = sq_dequote(arg)))
  17                die("bad argument");
  18        if (prefixcmp(me, "git-"))
  19                die("bad command");
  20
  21        my_argv[0] = me + 4;
  22        my_argv[1] = arg;
  23        my_argv[2] = NULL;
  24
  25        return execv_git_cmd(my_argv);
  26}
  27
  28static int do_cvs_cmd(const char *me, char *arg)
  29{
  30        const char *cvsserver_argv[3] = {
  31                "cvsserver", "server", NULL
  32        };
  33
  34        if (!arg || strcmp(arg, "server"))
  35                die("git-cvsserver only handles server: %s", arg);
  36
  37        setup_path();
  38        return execv_git_cmd(cvsserver_argv);
  39}
  40
  41static int is_valid_cmd_name(const char *cmd)
  42{
  43        /* Test command contains no . or / characters */
  44        return cmd[strcspn(cmd, "./")] == '\0';
  45}
  46
  47static char *make_cmd(const char *prog)
  48{
  49        char *prefix = xmalloc((strlen(prog) + strlen(COMMAND_DIR) + 2));
  50        strcpy(prefix, COMMAND_DIR);
  51        strcat(prefix, "/");
  52        strcat(prefix, prog);
  53        return prefix;
  54}
  55
  56static void cd_to_homedir(void)
  57{
  58        const char *home = getenv("HOME");
  59        if (!home)
  60                die("could not determine user's home directory; HOME is unset");
  61        if (chdir(home) == -1)
  62                die("could not chdir to user's home directory");
  63}
  64
  65static void run_shell(void)
  66{
  67        int done = 0;
  68        static const char *help_argv[] = { HELP_COMMAND, NULL };
  69
  70        if (!access(NOLOGIN_COMMAND, F_OK)) {
  71                /* Interactive login disabled. */
  72                const char *argv[] = { NOLOGIN_COMMAND, NULL };
  73                int status;
  74
  75                status = run_command_v_opt(argv, 0);
  76                if (status < 0)
  77                        exit(127);
  78                exit(status);
  79        }
  80
  81        /* Print help if enabled */
  82        run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE);
  83
  84        do {
  85                struct strbuf line = STRBUF_INIT;
  86                const char *prog;
  87                char *full_cmd;
  88                char *rawargs;
  89                char *split_args;
  90                const char **argv;
  91                int code;
  92                int count;
  93
  94                fprintf(stderr, "git> ");
  95                if (strbuf_getline(&line, stdin, '\n') == EOF) {
  96                        fprintf(stderr, "\n");
  97                        strbuf_release(&line);
  98                        break;
  99                }
 100                strbuf_trim(&line);
 101                rawargs = strbuf_detach(&line, NULL);
 102                split_args = xstrdup(rawargs);
 103                count = split_cmdline(split_args, &argv);
 104                if (count < 0) {
 105                        fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
 106                                split_cmdline_strerror(count));
 107                        free(split_args);
 108                        free(rawargs);
 109                        continue;
 110                }
 111
 112                prog = argv[0];
 113                if (!strcmp(prog, "")) {
 114                } else if (!strcmp(prog, "quit") || !strcmp(prog, "logout") ||
 115                           !strcmp(prog, "exit") || !strcmp(prog, "bye")) {
 116                        done = 1;
 117                } else if (is_valid_cmd_name(prog)) {
 118                        full_cmd = make_cmd(prog);
 119                        argv[0] = full_cmd;
 120                        code = run_command_v_opt(argv, RUN_SILENT_EXEC_FAILURE);
 121                        if (code == -1 && errno == ENOENT) {
 122                                fprintf(stderr, "unrecognized command '%s'\n", prog);
 123                        }
 124                        free(full_cmd);
 125                } else {
 126                        fprintf(stderr, "invalid command format '%s'\n", prog);
 127                }
 128
 129                free(argv);
 130                free(rawargs);
 131        } while (!done);
 132}
 133
 134static struct commands {
 135        const char *name;
 136        int (*exec)(const char *me, char *arg);
 137} cmd_list[] = {
 138        { "git-receive-pack", do_generic_cmd },
 139        { "git-upload-pack", do_generic_cmd },
 140        { "git-upload-archive", do_generic_cmd },
 141        { "cvs", do_cvs_cmd },
 142        { NULL },
 143};
 144
 145int main(int argc, char **argv)
 146{
 147        char *prog;
 148        const char **user_argv;
 149        struct commands *cmd;
 150        int count;
 151
 152        git_setup_gettext();
 153
 154        git_extract_argv0_path(argv[0]);
 155
 156        /*
 157         * Always open file descriptors 0/1/2 to avoid clobbering files
 158         * in die().  It also avoids messing up when the pipes are dup'ed
 159         * onto stdin/stdout/stderr in the child processes we spawn.
 160         */
 161        sanitize_stdfds();
 162
 163        /*
 164         * Special hack to pretend to be a CVS server
 165         */
 166        if (argc == 2 && !strcmp(argv[1], "cvs server")) {
 167                argv--;
 168        } else if (argc == 1) {
 169                /* Allow the user to run an interactive shell */
 170                cd_to_homedir();
 171                if (access(COMMAND_DIR, R_OK | X_OK) == -1) {
 172                        die("Interactive git shell is not enabled.\n"
 173                            "hint: ~/" COMMAND_DIR " should exist "
 174                            "and have read and execute access.");
 175                }
 176                run_shell();
 177                exit(0);
 178        } else if (argc != 3 || strcmp(argv[1], "-c")) {
 179                /*
 180                 * We do not accept any other modes except "-c" followed by
 181                 * "cmd arg", where "cmd" is a very limited subset of git
 182                 * commands or a command in the COMMAND_DIR
 183                 */
 184                die("Run with no arguments or with -c cmd");
 185        }
 186
 187        prog = xstrdup(argv[2]);
 188        if (!strncmp(prog, "git", 3) && isspace(prog[3]))
 189                /* Accept "git foo" as if the caller said "git-foo". */
 190                prog[3] = '-';
 191
 192        for (cmd = cmd_list ; cmd->name ; cmd++) {
 193                int len = strlen(cmd->name);
 194                char *arg;
 195                if (strncmp(cmd->name, prog, len))
 196                        continue;
 197                arg = NULL;
 198                switch (prog[len]) {
 199                case '\0':
 200                        arg = NULL;
 201                        break;
 202                case ' ':
 203                        arg = prog + len + 1;
 204                        break;
 205                default:
 206                        continue;
 207                }
 208                exit(cmd->exec(cmd->name, arg));
 209        }
 210
 211        cd_to_homedir();
 212        count = split_cmdline(prog, &user_argv);
 213        if (count >= 0) {
 214                if (is_valid_cmd_name(user_argv[0])) {
 215                        prog = make_cmd(user_argv[0]);
 216                        user_argv[0] = prog;
 217                        execv(user_argv[0], (char *const *) user_argv);
 218                }
 219                free(prog);
 220                free(user_argv);
 221                die("unrecognized command '%s'", argv[2]);
 222        } else {
 223                free(prog);
 224                die("invalid command format '%s': %s", argv[2],
 225                    split_cmdline_strerror(count));
 226        }
 227}