From: Junio C Hamano Date: Mon, 20 Apr 2015 22:28:31 +0000 (-0700) Subject: Merge branch 'jc/push-cert' X-Git-Tag: v2.4.0-rc3~7 X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/268d5bc2b2a6f261c6da99c3c9557426468a765b Merge branch 'jc/push-cert' The "git push --signed" protocol extension did not limit what the "nonce" that is a server-chosen string can contain or how long it can be, which was unnecessarily lax. Limit both the length and the alphabet to a reasonably small space that can still have enough entropy. * jc/push-cert: push --signed: tighten what the receiving end can ask to sign --- 268d5bc2b2a6f261c6da99c3c9557426468a765b diff --cc send-pack.c index 189bdde0c2,2249808027..2e07ac3339 --- a/send-pack.c +++ b/send-pack.c @@@ -285,29 -279,28 +285,51 @@@ free_return return update_seen; } + +static int atomic_push_failure(struct send_pack_args *args, + struct ref *remote_refs, + struct ref *failing_ref) +{ + struct ref *ref; + /* Mark other refs as failed */ + for (ref = remote_refs; ref; ref = ref->next) { + if (!ref->peer_ref && !args->send_mirror) + continue; + + switch (ref->status) { + case REF_STATUS_EXPECTING_REPORT: + ref->status = REF_STATUS_ATOMIC_PUSH_FAILED; + continue; + default: + break; /* do nothing */ + } + } + return error("atomic push failed for ref %s. status: %d\n", + failing_ref->name, failing_ref->status); +} + + #define NONCE_LEN_LIMIT 256 + + static void reject_invalid_nonce(const char *nonce, int len) + { + int i = 0; + + if (NONCE_LEN_LIMIT <= len) + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + + for (i = 0; i < len; i++) { + int ch = nonce[i] & 0xFF; + if (isalnum(ch) || + ch == '-' || ch == '.' || + ch == '/' || ch == '+' || + ch == '=' || ch == '_') + continue; + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + } + } + int send_pack(struct send_pack_args *args, int fd[], struct child_process *conn, struct ref *remote_refs,