Andrew's git / gitweb.git / diff
?
push --signed: tighten what the receiving end can ask to sign
authorJunio C Hamano <gitster@pobox.com>
Thu, 2 Apr 2015 01:00:36 +0000 (18:00 -0700)
committerJunio C Hamano <gitster@pobox.com>
Thu, 2 Apr 2015 18:05:18 +0000 (11:05 -0700)
Instead of blindly trusting the receiving side to give us a sensible
nonce to sign, limit the length (max 256 bytes) and the alphabet
(alnum and a few selected punctuations, enough to encode in base64)
that can be used in nonce.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
send-pack.c patch | blob | history
diff --git a/send-pack.c b/send-pack.c
index 7ad1a5968b6c86598edee62a0b0c35860f7e9c50..22498080271a5702a7e79a72af1f1f8491d15121 100644 (file)
--- a/send-pack.c
+++ b/send-pack.c
@@ -279,6 +279,28 @@ static int generate_push_cert(struct strbuf *req_buf,
        return update_seen;
 }
 
        return update_seen;
 }
 
+#define NONCE_LEN_LIMIT 256
+
+static void reject_invalid_nonce(const char *nonce, int len)
+{
+       int i = 0;
+
+       if (NONCE_LEN_LIMIT <= len)
+               die("the receiving end asked to sign an invalid nonce <%.*s>",
+                   len, nonce);
+
+       for (i = 0; i < len; i++) {
+               int ch = nonce[i] & 0xFF;
+               if (isalnum(ch) ||
+                   ch == '-' || ch == '.' ||
+                   ch == '/' || ch == '+' ||
+                   ch == '=' || ch == '_')
+                       continue;
+               die("the receiving end asked to sign an invalid nonce <%.*s>",
+                   len, nonce);
+       }
+}
+
 int send_pack(struct send_pack_args *args,
              int fd[], struct child_process *conn,
              struct ref *remote_refs,
 int send_pack(struct send_pack_args *args,
              int fd[], struct child_process *conn,
              struct ref *remote_refs,
@@ -321,6 +343,7 @@ int send_pack(struct send_pack_args *args,
                push_cert_nonce = server_feature_value("push-cert", &len);
                if (!push_cert_nonce)
                        die(_("the receiving end does not support --signed push"));
                push_cert_nonce = server_feature_value("push-cert", &len);
                if (!push_cert_nonce)
                        die(_("the receiving end does not support --signed push"));
+               reject_invalid_nonce(push_cert_nonce, len);
                push_cert_nonce = xmemdupz(push_cert_nonce, len);
        }
 
                push_cert_nonce = xmemdupz(push_cert_nonce, len);
        }