shell: drop git-cvsserver support by default
authorJeff King <peff@peff.net>
Mon, 11 Sep 2017 15:27:51 +0000 (11:27 -0400)
committerJunio C Hamano <gitster@pobox.com>
Tue, 12 Sep 2017 02:05:58 +0000 (11:05 +0900)
The git-cvsserver script is old and largely unmaintained
these days. But git-shell allows untrusted users to run it
out of the box, significantly increasing its attack surface.

Let's drop it from git-shell's list of internal handlers so
that it cannot be run by default. This is not backwards
compatible. But given the age and development activity on
CVS-related parts of Git, this is likely to impact very few
users, while helping many more (i.e., anybody who runs
git-shell and had no intention of supporting CVS).

There's no configuration mechanism in git-shell for us to
add a boolean and flip it to "off". But there is a mechanism
for adding custom commands, and adding CVS support here is
fairly trivial. Let's document it to give guidance to
anybody who really is still running cvsserver.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Documentation/git-shell.txt
shell.c
t/t9400-git-cvsserver-server.sh
index 2e30a3e42d4e4e2bab580b0dcb5701ca3b33aeed..54cf2560bebbfc538644c636f696d4e500f1d852 100644 (file)
@@ -79,6 +79,22 @@ EOF
 $ chmod +x $HOME/git-shell-commands/no-interactive-login
 ----------------
 
+To enable git-cvsserver access (which should generally have the
+`no-interactive-login` example above as a prerequisite, as creating
+the git-shell-commands directory allows interactive logins):
+
+----------------
+$ cat >$HOME/git-shell-commands/cvs <<\EOF
+if ! test $# = 1 && test "$1" = "server"
+then
+       echo >&2 "git-cvsserver only handles \"server\""
+       exit 1
+fi
+exec git cvsserver server
+EOF
+$ chmod +x $HOME/git-shell-commands/cvs
+----------------
+
 SEE ALSO
 --------
 ssh(1),
diff --git a/shell.c b/shell.c
index fe2d314593ba5ee3b985b778c2e7ebfdcd9da44c..234b2d4f16fe79e9260c8409bd4d7c964fe27e72 100644 (file)
--- a/shell.c
+++ b/shell.c
@@ -25,19 +25,6 @@ static int do_generic_cmd(const char *me, char *arg)
        return execv_git_cmd(my_argv);
 }
 
-static int do_cvs_cmd(const char *me, char *arg)
-{
-       const char *cvsserver_argv[3] = {
-               "cvsserver", "server", NULL
-       };
-
-       if (!arg || strcmp(arg, "server"))
-               die("git-cvsserver only handles server: %s", arg);
-
-       setup_path();
-       return execv_git_cmd(cvsserver_argv);
-}
-
 static int is_valid_cmd_name(const char *cmd)
 {
        /* Test command contains no . or / characters */
@@ -134,7 +121,6 @@ static struct commands {
        { "git-receive-pack", do_generic_cmd },
        { "git-upload-pack", do_generic_cmd },
        { "git-upload-archive", do_generic_cmd },
-       { "cvs", do_cvs_cmd },
        { NULL },
 };
 
index 432c61d246c938192a2b31f2db35f4f9b320a788..c30660d60626c886dfa5993acddaebf2d3364de9 100755 (executable)
@@ -588,4 +588,52 @@ test_expect_success 'cvs annotate' '
     test_cmp ../expect ../actual
 '
 
+#------------
+# running via git-shell
+#------------
+
+cd "$WORKDIR"
+
+test_expect_success 'create remote-cvs helper' '
+       write_script remote-cvs <<-\EOF
+       exec git shell -c "cvs server"
+       EOF
+'
+
+test_expect_success 'cvs server does not run with vanilla git-shell' '
+       (
+               cd cvswork &&
+               CVS_SERVER=$WORKDIR/remote-cvs &&
+               export CVS_SERVER &&
+               test_must_fail cvs log merge
+       )
+'
+
+test_expect_success 'configure git shell to run cvs server' '
+       mkdir "$HOME"/git-shell-commands &&
+
+       write_script "$HOME"/git-shell-commands/cvs <<-\EOF &&
+       if ! test $# = 1 && test "$1" = "server"
+       then
+               echo >&2 "git-cvsserver only handles \"server\""
+               exit 1
+       fi
+       exec git cvsserver server
+       EOF
+
+       # Should not be used, but part of the recommended setup
+       write_script "$HOME"/git-shell-commands/no-interactive-login <<-\EOF
+       echo Interactive login forbidden
+       EOF
+'
+
+test_expect_success 'cvs server can run with recommended config' '
+       (
+               cd cvswork &&
+               CVS_SERVER=$WORKDIR/remote-cvs &&
+               export CVS_SERVER &&
+               cvs log merge
+       )
+'
+
 test_done