-#include "cache.h"
-#include "pkt-line.h"
#include <signal.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <syslog.h>
+#include "pkt-line.h"
+#include "cache.h"
static int log_syslog;
static int verbose;
static const char daemon_usage[] =
"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n"
-" [--timeout=n] [--init-timeout=n] [directory...]";
+" [--timeout=n] [--init-timeout=n] [--strict-paths] [directory...]";
/* List of acceptable pathname prefixes */
static char **ok_paths = NULL;
+static int strict_paths = 0;
/* If this is set, git-daemon-export-ok is not required */
static int export_all_trees = 0;
va_end(params);
}
-static int path_ok(const char *dir)
+static int avoid_alias(char *p)
{
- const char *p = dir;
- char **pp;
int sl, ndot;
- /* The pathname here should be an absolute path. */
- if ( *p++ != '/' )
- return 0;
-
- sl = 1; ndot = 0;
-
- for (;;) {
- if ( *p == '.' ) {
- ndot++;
- } else if ( *p == '\0' ) {
- /* Reject "." and ".." at the end of the path */
- if ( sl && ndot > 0 && ndot < 3 )
- return 0;
-
- /* Otherwise OK */
- break;
- } else if ( *p == '/' ) {
- /* Refuse "", "." or ".." */
- if ( sl && ndot < 3 )
+ /*
+ * This resurrects the belts and suspenders paranoia check by HPA
+ * done in <435560F7.4080006@zytor.com> thread, now enter_repo()
+ * does not do getcwd() based path canonicalizations.
+ *
+ * sl becomes true immediately after seeing '/' and continues to
+ * be true as long as dots continue after that without intervening
+ * non-dot character.
+ */
+ if (!p || (*p != '/' && *p != '~'))
+ return -1;
+ sl = 1; ndot = 0;
+ p++;
+
+ while (1) {
+ char ch = *p++;
+ if (sl) {
+ if (ch == '.')
+ ndot++;
+ else if (ch == '/') {
+ if (ndot < 3)
+ /* reject //, /./ and /../ */
+ return -1;
+ ndot = 0;
+ }
+ else if (ch == 0) {
+ if (0 < ndot && ndot < 3)
+ /* reject /.$ and /..$ */
+ return -1;
return 0;
+ }
+ else
+ sl = ndot = 0;
+ }
+ else if (ch == 0)
+ return 0;
+ else if (ch == '/') {
sl = 1;
ndot = 0;
- } else {
- sl = ndot = 0;
}
- p++;
}
+}
- if ( ok_paths && *ok_paths ) {
- int ok = 0;
- int dirlen = strlen(dir);
-
- for ( pp = ok_paths ; *pp ; pp++ ) {
- int len = strlen(*pp);
- if ( len <= dirlen &&
- !strncmp(*pp, dir, len) &&
- (dir[len] == '/' || dir[len] == '\0') ) {
- ok = 1;
- break;
- }
- }
+static char *path_ok(char *dir)
+{
+ char *path;
- if ( !ok )
- return 0; /* Path not in whitelist */
+ if (avoid_alias(dir)) {
+ logerror("'%s': aliased", dir);
+ return NULL;
}
- return 1; /* Path acceptable */
-}
+ path = enter_repo(dir, strict_paths);
-static int set_dir(const char *dir)
-{
- if (!path_ok(dir)) {
- errno = EACCES;
- return -1;
+ if (!path) {
+ logerror("'%s': unable to chdir or not a git archive", dir);
+ return NULL;
}
- if ( chdir(dir) )
- return -1;
-
- /*
- * Security on the cheap.
- *
- * We want a readable HEAD, usable "objects" directory, and
- * a "git-daemon-export-ok" flag that says that the other side
- * is ok with us doing this.
- */
- if (!export_all_trees && access("git-daemon-export-ok", F_OK)) {
- errno = EACCES;
- return -1;
+ if ( ok_paths && *ok_paths ) {
+ char **pp;
+ int pathlen = strlen(path);
+
+ /* The validation is done on the paths after enter_repo
+ * appends optional {.git,.git/.git} and friends, but
+ * it does not use getcwd(). So if your /pub is
+ * a symlink to /mnt/pub, you can whitelist /pub and
+ * do not have to say /mnt/pub.
+ * Do not say /pub/.
+ */
+ for ( pp = ok_paths ; *pp ; pp++ ) {
+ int len = strlen(*pp);
+ if (len <= pathlen &&
+ !memcmp(*pp, path, len) &&
+ (path[len] == '\0' ||
+ (!strict_paths && path[len] == '/')))
+ return path;
+ }
}
-
- if (access("objects/", X_OK) || access("HEAD", R_OK)) {
- errno = EINVAL;
- return -1;
+ else {
+ /* be backwards compatible */
+ if (!strict_paths)
+ return path;
}
- /* If all this passed, we're OK */
- return 0;
+ logerror("'%s': not in whitelist", path);
+ return NULL; /* Fallthrough. Deny by default */
}
static int upload(char *dir)
{
- /* Try paths in this order */
- static const char *paths[] = { "%s", "%s/.git", "%s.git", "%s.git/.git", NULL };
- const char **pp;
- /* Enough for the longest path above including final null */
- int buflen = strlen(dir)+10;
- char *dirbuf = xmalloc(buflen);
/* Timeout as string */
char timeout_buf[64];
+ const char *path;
loginfo("Request for '%s'", dir);
- for ( pp = paths ; *pp ; pp++ ) {
- snprintf(dirbuf, buflen, *pp, dir);
- if ( !set_dir(dirbuf) )
- break;
- }
+ if (!(path = path_ok(dir)))
+ return -1;
- if ( !*pp ) {
- logerror("Cannot set directory '%s': %s", dir, strerror(errno));
+ /*
+ * Security on the cheap.
+ *
+ * We want a readable HEAD, usable "objects" directory, and
+ * a "git-daemon-export-ok" flag that says that the other side
+ * is ok with us doing this.
+ *
+ * path_ok() uses enter_repo() and does whitelist checking.
+ * We only need to make sure the repository is exported.
+ */
+
+ if (!export_all_trees && access("git-daemon-export-ok", F_OK)) {
+ logerror("'%s': repository not exported.", path);
+ errno = EACCES;
return -1;
}
if (len && line[len-1] == '\n')
line[--len] = 0;
- if (!strncmp("git-upload-pack /", line, 17))
+ if (!strncmp("git-upload-pack ", line, 16))
return upload(line+16);
logerror("Protocol error: '%s'", line);
return 0;
}
+ if (listen(sockfd, 5) < 0) {
+ close(sockfd);
+ return 0;
+ }
+
*socklist_p = xmalloc(sizeof(int));
**socklist_p = sockfd;
+ return 1;
}
#endif
}
signal(SIGCHLD, child_handler);
-
+
for (;;) {
int i;
- if (poll(pfd, socknum, 0) < 0) {
+ if (poll(pfd, socknum, -1) < 0) {
if (errno != EINTR) {
error("poll failed, resuming: %s",
strerror(errno));
static int serve(int port)
{
int socknum, *socklist;
-
+
socknum = socksetup(port, &socklist);
if (socknum == 0)
die("unable to allocate any listen sockets on port %u", port);
-
+
return service_loop(socknum, socklist);
-}
+}
int main(int argc, char **argv)
{
}
if (!strcmp(arg, "--inetd")) {
inetd_mode = 1;
+ log_syslog = 1;
continue;
}
if (!strcmp(arg, "--verbose")) {
}
if (!strcmp(arg, "--syslog")) {
log_syslog = 1;
- openlog("git-daemon", 0, LOG_DAEMON);
continue;
}
if (!strcmp(arg, "--export-all")) {
}
if (!strncmp(arg, "--timeout=", 10)) {
timeout = atoi(arg+10);
+ continue;
}
- if (!strncmp(arg, "--init-timeout=", 10)) {
+ if (!strncmp(arg, "--init-timeout=", 15)) {
init_timeout = atoi(arg+15);
+ continue;
+ }
+ if (!strcmp(arg, "--strict-paths")) {
+ strict_paths = 1;
+ continue;
}
if (!strcmp(arg, "--")) {
ok_paths = &argv[i+1];
usage(daemon_usage);
}
+ if (log_syslog)
+ openlog("git-daemon", 0, LOG_DAEMON);
+
+ if (strict_paths && (!ok_paths || !*ok_paths)) {
+ if (!inetd_mode)
+ die("git-daemon: option --strict-paths requires a whitelist");
+
+ logerror("option --strict-paths requires a whitelist");
+ exit (1);
+ }
+
if (inetd_mode) {
fclose(stderr); //FIXME: workaround
return execute();
- } else {
- return serve(port);
}
+
+ return serve(port);
}