From: Junio C Hamano <gitster@pobox.com>
Date: Mon, 27 Apr 2015 19:23:47 +0000 (-0700)
Subject: Merge branch 'jc/push-cert' into maint
X-Git-Tag: v2.3.7~3
X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/631f6f1d47cc51a46c8ab48ea1178ea04cff0b8a?hp=ba63bfaa59ee41bd679286a594cc643b5a53c48d

Merge branch 'jc/push-cert' into maint

The "git push --signed" protocol extension did not limit what the
"nonce" that is a server-chosen string can contain or how long it
can be, which was unnecessarily lax.  Limit both the length and the
alphabet to a reasonably small space that can still have enough
entropy.

* jc/push-cert:
push --signed: tighten what the receiving end can ask to sign
---

diff --git a/send-pack.c b/send-pack.c
index 25947d7df9..677bac3193 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -281,6 +281,28 @@ static int generate_push_cert(struct strbuf *req_buf,
 	return update_seen;
 }
 
+#define NONCE_LEN_LIMIT 256
+
+static void reject_invalid_nonce(const char *nonce, int len)
+{
+	int i = 0;
+
+	if (NONCE_LEN_LIMIT <= len)
+		die("the receiving end asked to sign an invalid nonce <%.*s>",
+		    len, nonce);
+
+	for (i = 0; i < len; i++) {
+		int ch = nonce[i] & 0xFF;
+		if (isalnum(ch) ||
+		    ch == '-' || ch == '.' ||
+		    ch == '/' || ch == '+' ||
+		    ch == '=' || ch == '_')
+			continue;
+		die("the receiving end asked to sign an invalid nonce <%.*s>",
+		    len, nonce);
+	}
+}
+
 int send_pack(struct send_pack_args *args,
 	      int fd[], struct child_process *conn,
 	      struct ref *remote_refs,
@@ -323,6 +345,7 @@ int send_pack(struct send_pack_args *args,
 		push_cert_nonce = server_feature_value("push-cert", &len);
 		if (!push_cert_nonce)
 			die(_("the receiving end does not support --signed push"));
+		reject_invalid_nonce(push_cert_nonce, len);
 		push_cert_nonce = xmemdupz(push_cert_nonce, len);
 	}