Merge branch 'jk/connect-clear-env' into maint
authorJunio C Hamano <gitster@pobox.com>
Fri, 16 Oct 2015 21:32:35 +0000 (14:32 -0700)
committerJunio C Hamano <gitster@pobox.com>
Fri, 16 Oct 2015 21:32:35 +0000 (14:32 -0700)
The ssh transport, just like any other transport over the network,
did not clear GIT_* environment variables, but it is possible to
use SendEnv and AcceptEnv to leak them to the remote invocation of
Git, which is not a good idea at all. Explicitly clear them just
like we do for the local transport.

* jk/connect-clear-env:
git_connect: clarify conn->use_shell flag
git_connect: clear GIT_* environment for ssh

1  2 
connect.c
diff --combined connect.c
index 27a706f76621621a25b7e58188e5d1da9b9a2ccd,acd39d70c8781d837bce45317d6b9641a522f85f..ced4961398d397e0e21661ce7105be293c3585c2
+++ b/connect.c
@@@ -9,7 -9,6 +9,7 @@@
  #include "url.h"
  #include "string-list.h"
  #include "sha1-array.h"
 +#include "transport.h"
  
  static char *server_capabilities;
  static const char *parse_feature_value(const char *, const char *, int *);
@@@ -695,8 -694,6 +695,8 @@@ struct child_process *git_connect(int f
                else
                        target_host = xstrdup(hostandport);
  
 +              transport_check_allowed("git");
 +
                /* These underlying connection commands die() if they
                 * cannot connect.
                 */
                strbuf_addch(&cmd, ' ');
                sq_quote_buf(&cmd, path);
  
+               /* remove repo-local variables from the environment */
+               conn->env = local_repo_env;
+               conn->use_shell = 1;
                conn->in = conn->out = -1;
                if (protocol == PROTO_SSH) {
                        const char *ssh;
-                       int putty, tortoiseplink = 0;
+                       int putty = 0, tortoiseplink = 0;
                        char *ssh_host = hostandport;
                        const char *port = NULL;
 +                      transport_check_allowed("ssh");
                        get_host_and_port(&ssh_host, &port);
  
                        if (!port)
                        }
  
                        ssh = getenv("GIT_SSH_COMMAND");
-                       if (ssh) {
-                               conn->use_shell = 1;
-                               putty = 0;
-                       } else {
+                       if (!ssh) {
                                const char *base;
                                char *ssh_dup;
  
+                               /*
+                                * GIT_SSH is the no-shell version of
+                                * GIT_SSH_COMMAND (and must remain so for
+                                * historical compatibility).
+                                */
+                               conn->use_shell = 0;
                                ssh = getenv("GIT_SSH");
                                if (!ssh)
                                        ssh = "ssh";
  
                                tortoiseplink = !strcasecmp(base, "tortoiseplink") ||
                                        !strcasecmp(base, "tortoiseplink.exe");
-                               putty = !strcasecmp(base, "plink") ||
-                                       !strcasecmp(base, "plink.exe") || tortoiseplink;
+                               putty = tortoiseplink ||
+                                       !strcasecmp(base, "plink") ||
+                                       !strcasecmp(base, "plink.exe");
  
                                free(ssh_dup);
                        }
                                argv_array_push(&conn->args, port);
                        }
                        argv_array_push(&conn->args, ssh_host);
-                       /* remove repo-local variables from the environment */
-                       conn->env = local_repo_env;
-                       conn->use_shell = 1;
 +              } else {
 +                      transport_check_allowed("file");
                }
                argv_array_push(&conn->args, cmd.buf);