2005-07-09 01:20:59 +02:00
|
|
|
/*
|
2013-03-30 10:53:32 +01:00
|
|
|
* Utilities for paths and pathnames
|
2005-07-09 01:20:59 +02:00
|
|
|
*/
|
|
|
|
#include "cache.h"
|
2009-11-17 18:24:25 +01:00
|
|
|
#include "strbuf.h"
|
2012-10-28 17:16:23 +01:00
|
|
|
#include "string-list.h"
|
2005-07-09 01:20:59 +02:00
|
|
|
|
2013-03-23 13:40:29 +01:00
|
|
|
#ifndef get_st_mode_bits
|
|
|
|
/*
|
|
|
|
* The replacement lstat(2) we use on Cygwin is incomplete and
|
|
|
|
* may return wrong permission bits. Most of the time we do not care,
|
|
|
|
* but the callsites of this wrapper do care.
|
|
|
|
*/
|
|
|
|
int get_st_mode_bits(const char *path, int *mode)
|
|
|
|
{
|
|
|
|
struct stat st;
|
|
|
|
if (lstat(path, &st) < 0)
|
|
|
|
return -1;
|
|
|
|
*mode = st.st_mode;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-07-09 01:20:59 +02:00
|
|
|
static char bad_path[] = "/bad-path/";
|
|
|
|
|
2006-09-11 21:03:15 +02:00
|
|
|
static char *get_pathname(void)
|
|
|
|
{
|
|
|
|
static char pathname_array[4][PATH_MAX];
|
|
|
|
static int index;
|
|
|
|
return pathname_array[3 & ++index];
|
|
|
|
}
|
|
|
|
|
2005-07-09 01:20:59 +02:00
|
|
|
static char *cleanup_path(char *path)
|
|
|
|
{
|
|
|
|
/* Clean it up */
|
|
|
|
if (!memcmp(path, "./", 2)) {
|
|
|
|
path += 2;
|
|
|
|
while (*path == '/')
|
|
|
|
path++;
|
|
|
|
}
|
|
|
|
return path;
|
|
|
|
}
|
|
|
|
|
2008-10-26 22:59:13 +01:00
|
|
|
char *mksnpath(char *buf, size_t n, const char *fmt, ...)
|
|
|
|
{
|
|
|
|
va_list args;
|
|
|
|
unsigned len;
|
|
|
|
|
|
|
|
va_start(args, fmt);
|
|
|
|
len = vsnprintf(buf, n, fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
if (len >= n) {
|
2008-11-10 22:07:52 +01:00
|
|
|
strlcpy(buf, bad_path, n);
|
2008-10-26 22:59:13 +01:00
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
return cleanup_path(buf);
|
|
|
|
}
|
|
|
|
|
2012-09-04 19:26:30 +02:00
|
|
|
static char *vsnpath(char *buf, size_t n, const char *fmt, va_list args)
|
2008-10-27 10:22:21 +01:00
|
|
|
{
|
|
|
|
const char *git_dir = get_git_dir();
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
len = strlen(git_dir);
|
|
|
|
if (n < len + 1)
|
|
|
|
goto bad;
|
|
|
|
memcpy(buf, git_dir, len);
|
|
|
|
if (len && !is_dir_sep(git_dir[len-1]))
|
|
|
|
buf[len++] = '/';
|
|
|
|
len += vsnprintf(buf + len, n - len, fmt, args);
|
|
|
|
if (len >= n)
|
|
|
|
goto bad;
|
|
|
|
return cleanup_path(buf);
|
|
|
|
bad:
|
2008-11-10 22:07:52 +01:00
|
|
|
strlcpy(buf, bad_path, n);
|
2008-10-27 10:22:21 +01:00
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
|
2008-10-27 11:17:51 +01:00
|
|
|
char *git_snpath(char *buf, size_t n, const char *fmt, ...)
|
|
|
|
{
|
2012-09-04 19:27:54 +02:00
|
|
|
char *ret;
|
2008-10-27 11:17:51 +01:00
|
|
|
va_list args;
|
|
|
|
va_start(args, fmt);
|
2012-09-04 19:27:54 +02:00
|
|
|
ret = vsnpath(buf, n, fmt, args);
|
2008-10-27 11:17:51 +01:00
|
|
|
va_end(args);
|
2012-09-04 19:27:54 +02:00
|
|
|
return ret;
|
2008-10-27 11:17:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
char *git_pathdup(const char *fmt, ...)
|
|
|
|
{
|
2012-09-04 19:27:54 +02:00
|
|
|
char path[PATH_MAX], *ret;
|
2008-10-27 11:17:51 +01:00
|
|
|
va_list args;
|
|
|
|
va_start(args, fmt);
|
2012-09-04 19:27:54 +02:00
|
|
|
ret = vsnpath(path, sizeof(path), fmt, args);
|
2008-10-27 11:17:51 +01:00
|
|
|
va_end(args);
|
2012-09-04 19:27:54 +02:00
|
|
|
return xstrdup(ret);
|
2008-10-27 11:17:51 +01:00
|
|
|
}
|
|
|
|
|
2012-06-22 11:03:23 +02:00
|
|
|
char *mkpathdup(const char *fmt, ...)
|
|
|
|
{
|
|
|
|
char *path;
|
|
|
|
struct strbuf sb = STRBUF_INIT;
|
|
|
|
va_list args;
|
|
|
|
|
|
|
|
va_start(args, fmt);
|
|
|
|
strbuf_vaddf(&sb, fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
path = xstrdup(cleanup_path(sb.buf));
|
|
|
|
|
|
|
|
strbuf_release(&sb);
|
|
|
|
return path;
|
|
|
|
}
|
|
|
|
|
2005-07-09 01:20:59 +02:00
|
|
|
char *mkpath(const char *fmt, ...)
|
|
|
|
{
|
|
|
|
va_list args;
|
|
|
|
unsigned len;
|
2006-09-11 21:03:15 +02:00
|
|
|
char *pathname = get_pathname();
|
2005-07-09 01:20:59 +02:00
|
|
|
|
|
|
|
va_start(args, fmt);
|
|
|
|
len = vsnprintf(pathname, PATH_MAX, fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
if (len >= PATH_MAX)
|
|
|
|
return bad_path;
|
|
|
|
return cleanup_path(pathname);
|
|
|
|
}
|
|
|
|
|
|
|
|
char *git_path(const char *fmt, ...)
|
|
|
|
{
|
2006-09-11 21:03:15 +02:00
|
|
|
char *pathname = get_pathname();
|
2005-07-09 01:20:59 +02:00
|
|
|
va_list args;
|
2012-09-04 19:29:22 +02:00
|
|
|
char *ret;
|
2005-07-09 01:20:59 +02:00
|
|
|
|
|
|
|
va_start(args, fmt);
|
2012-09-04 19:29:22 +02:00
|
|
|
ret = vsnpath(pathname, PATH_MAX, fmt, args);
|
2005-07-09 01:20:59 +02:00
|
|
|
va_end(args);
|
2012-09-04 19:29:22 +02:00
|
|
|
return ret;
|
2005-07-09 01:20:59 +02:00
|
|
|
}
|
2005-08-04 22:43:03 +02:00
|
|
|
|
2012-06-22 11:03:23 +02:00
|
|
|
void home_config_paths(char **global, char **xdg, char *file)
|
|
|
|
{
|
|
|
|
char *xdg_home = getenv("XDG_CONFIG_HOME");
|
|
|
|
char *home = getenv("HOME");
|
|
|
|
char *to_free = NULL;
|
|
|
|
|
|
|
|
if (!home) {
|
|
|
|
if (global)
|
|
|
|
*global = NULL;
|
|
|
|
} else {
|
|
|
|
if (!xdg_home) {
|
|
|
|
to_free = mkpathdup("%s/.config", home);
|
|
|
|
xdg_home = to_free;
|
|
|
|
}
|
|
|
|
if (global)
|
|
|
|
*global = mkpathdup("%s/.gitconfig", home);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!xdg_home)
|
|
|
|
*xdg = NULL;
|
|
|
|
else
|
|
|
|
*xdg = mkpathdup("%s/git/%s", xdg_home, file);
|
|
|
|
|
|
|
|
free(to_free);
|
|
|
|
}
|
|
|
|
|
2010-07-07 15:39:11 +02:00
|
|
|
char *git_path_submodule(const char *path, const char *fmt, ...)
|
|
|
|
{
|
|
|
|
char *pathname = get_pathname();
|
|
|
|
struct strbuf buf = STRBUF_INIT;
|
|
|
|
const char *git_dir;
|
|
|
|
va_list args;
|
|
|
|
unsigned len;
|
|
|
|
|
|
|
|
len = strlen(path);
|
|
|
|
if (len > PATH_MAX-100)
|
|
|
|
return bad_path;
|
|
|
|
|
|
|
|
strbuf_addstr(&buf, path);
|
|
|
|
if (len && path[len-1] != '/')
|
|
|
|
strbuf_addch(&buf, '/');
|
|
|
|
strbuf_addstr(&buf, ".git");
|
|
|
|
|
2011-08-22 23:04:56 +02:00
|
|
|
git_dir = read_gitfile(buf.buf);
|
2010-07-07 15:39:11 +02:00
|
|
|
if (git_dir) {
|
|
|
|
strbuf_reset(&buf);
|
|
|
|
strbuf_addstr(&buf, git_dir);
|
|
|
|
}
|
|
|
|
strbuf_addch(&buf, '/');
|
|
|
|
|
|
|
|
if (buf.len >= PATH_MAX)
|
|
|
|
return bad_path;
|
|
|
|
memcpy(pathname, buf.buf, buf.len + 1);
|
|
|
|
|
|
|
|
strbuf_release(&buf);
|
|
|
|
len = strlen(pathname);
|
|
|
|
|
|
|
|
va_start(args, fmt);
|
|
|
|
len += vsnprintf(pathname + len, PATH_MAX - len, fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
if (len >= PATH_MAX)
|
|
|
|
return bad_path;
|
|
|
|
return cleanup_path(pathname);
|
|
|
|
}
|
2005-08-04 22:43:03 +02:00
|
|
|
|
2007-01-02 08:31:08 +01:00
|
|
|
int validate_headref(const char *path)
|
2005-11-18 23:59:34 +01:00
|
|
|
{
|
|
|
|
struct stat st;
|
|
|
|
char *buf, buffer[256];
|
2007-01-02 08:31:08 +01:00
|
|
|
unsigned char sha1[20];
|
2008-04-27 20:21:58 +02:00
|
|
|
int fd;
|
|
|
|
ssize_t len;
|
2005-11-18 23:59:34 +01:00
|
|
|
|
|
|
|
if (lstat(path, &st) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
/* Make sure it is a "refs/.." symlink */
|
|
|
|
if (S_ISLNK(st.st_mode)) {
|
|
|
|
len = readlink(path, buffer, sizeof(buffer)-1);
|
2009-02-12 22:02:09 +01:00
|
|
|
if (len >= 5 && !memcmp("refs/", buffer, 5))
|
2005-11-18 23:59:34 +01:00
|
|
|
return 0;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Anything else, just open it and try to see if it is a symbolic ref.
|
|
|
|
*/
|
|
|
|
fd = open(path, O_RDONLY);
|
|
|
|
if (fd < 0)
|
|
|
|
return -1;
|
2007-01-08 16:58:08 +01:00
|
|
|
len = read_in_full(fd, buffer, sizeof(buffer)-1);
|
2005-11-18 23:59:34 +01:00
|
|
|
close(fd);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Is it a symbolic ref?
|
|
|
|
*/
|
2007-01-02 08:31:08 +01:00
|
|
|
if (len < 4)
|
2005-11-18 23:59:34 +01:00
|
|
|
return -1;
|
2007-01-02 08:31:08 +01:00
|
|
|
if (!memcmp("ref:", buffer, 4)) {
|
|
|
|
buf = buffer + 4;
|
|
|
|
len -= 4;
|
|
|
|
while (len && isspace(*buf))
|
|
|
|
buf++, len--;
|
2009-02-12 22:02:09 +01:00
|
|
|
if (len >= 5 && !memcmp("refs/", buf, 5))
|
2007-01-02 08:31:08 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Is this a detached HEAD?
|
|
|
|
*/
|
|
|
|
if (!get_sha1_hex(buffer, sha1))
|
2005-11-18 23:59:34 +01:00
|
|
|
return 0;
|
2007-01-02 08:31:08 +01:00
|
|
|
|
2005-11-18 23:59:34 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2009-11-17 18:24:25 +01:00
|
|
|
static struct passwd *getpw_str(const char *username, size_t len)
|
2005-11-17 20:37:14 +01:00
|
|
|
{
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
struct passwd *pw;
|
2009-11-17 18:24:25 +01:00
|
|
|
char *username_z = xmalloc(len + 1);
|
|
|
|
memcpy(username_z, username, len);
|
|
|
|
username_z[len] = '\0';
|
|
|
|
pw = getpwnam(username_z);
|
|
|
|
free(username_z);
|
|
|
|
return pw;
|
|
|
|
}
|
2005-11-17 20:37:14 +01:00
|
|
|
|
2009-11-17 18:24:25 +01:00
|
|
|
/*
|
|
|
|
* Return a string with ~ and ~user expanded via getpw*. If buf != NULL,
|
|
|
|
* then it is a newly allocated string. Returns NULL on getpw failure or
|
|
|
|
* if path is NULL.
|
|
|
|
*/
|
|
|
|
char *expand_user_path(const char *path)
|
|
|
|
{
|
|
|
|
struct strbuf user_path = STRBUF_INIT;
|
|
|
|
const char *first_slash = strchrnul(path, '/');
|
|
|
|
const char *to_copy = path;
|
|
|
|
|
|
|
|
if (path == NULL)
|
|
|
|
goto return_null;
|
|
|
|
if (path[0] == '~') {
|
|
|
|
const char *username = path + 1;
|
|
|
|
size_t username_len = first_slash - username;
|
2009-11-19 16:21:15 +01:00
|
|
|
if (username_len == 0) {
|
|
|
|
const char *home = getenv("HOME");
|
2010-07-26 17:06:51 +02:00
|
|
|
if (!home)
|
|
|
|
goto return_null;
|
2009-11-19 16:21:15 +01:00
|
|
|
strbuf_add(&user_path, home, strlen(home));
|
|
|
|
} else {
|
|
|
|
struct passwd *pw = getpw_str(username, username_len);
|
|
|
|
if (!pw)
|
|
|
|
goto return_null;
|
|
|
|
strbuf_add(&user_path, pw->pw_dir, strlen(pw->pw_dir));
|
2005-11-17 20:37:14 +01:00
|
|
|
}
|
2009-11-17 18:24:25 +01:00
|
|
|
to_copy = first_slash;
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
}
|
2009-11-17 18:24:25 +01:00
|
|
|
strbuf_add(&user_path, to_copy, strlen(to_copy));
|
|
|
|
return strbuf_detach(&user_path, NULL);
|
|
|
|
return_null:
|
|
|
|
strbuf_release(&user_path);
|
|
|
|
return NULL;
|
2005-11-17 20:37:14 +01:00
|
|
|
}
|
|
|
|
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
/*
|
|
|
|
* First, one directory to try is determined by the following algorithm.
|
|
|
|
*
|
|
|
|
* (0) If "strict" is given, the path is used as given and no DWIM is
|
|
|
|
* done. Otherwise:
|
|
|
|
* (1) "~/path" to mean path under the running user's home directory;
|
|
|
|
* (2) "~user/path" to mean path under named user's home directory;
|
|
|
|
* (3) "relative/path" to mean cwd relative directory; or
|
|
|
|
* (4) "/absolute/path" to mean absolute directory.
|
|
|
|
*
|
|
|
|
* Unless "strict" is given, we try access() for existence of "%s.git/.git",
|
|
|
|
* "%s/.git", "%s.git", "%s" in this order. The first one that exists is
|
|
|
|
* what we try.
|
|
|
|
*
|
|
|
|
* Second, we try chdir() to that. Upon failure, we return NULL.
|
|
|
|
*
|
|
|
|
* Then, we try if the current directory is a valid git repository.
|
|
|
|
* Upon failure, we return NULL.
|
|
|
|
*
|
|
|
|
* If all goes well, we return the directory we used to chdir() (but
|
|
|
|
* before ~user is expanded), avoiding getcwd() resolving symbolic
|
|
|
|
* links. User relative paths are also returned as they are given,
|
|
|
|
* except DWIM suffixing.
|
|
|
|
*/
|
2011-10-04 22:02:00 +02:00
|
|
|
const char *enter_repo(const char *path, int strict)
|
2005-11-17 20:37:14 +01:00
|
|
|
{
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
static char used_path[PATH_MAX];
|
|
|
|
static char validated_path[PATH_MAX];
|
|
|
|
|
|
|
|
if (!path)
|
2005-11-17 20:37:14 +01:00
|
|
|
return NULL;
|
|
|
|
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
if (!strict) {
|
|
|
|
static const char *suffix[] = {
|
standardize and improve lookup rules for external local repos
When you specify a local repository on the command line of
clone, ls-remote, upload-pack, receive-pack, or upload-archive,
or in a request to git-daemon, we perform a little bit of
lookup magic, doing things like looking in working trees for
.git directories and appending ".git" for bare repos.
For clone, this magic happens in get_repo_path. For
everything else, it happens in enter_repo. In both cases,
there are some ambiguous or confusing cases that aren't
handled well, and there is one case that is not handled the
same by both methods.
This patch tries to provide (and test!) standard, sensible
lookup rules for both code paths. The intended changes are:
1. When looking up "foo", we have always preferred
a working tree "foo" (containing "foo/.git" over the
bare "foo.git". But we did not prefer a bare "foo" over
"foo.git". With this patch, we do so.
2. We would select directories that existed but didn't
actually look like git repositories. With this patch,
we make sure a selected directory looks like a git
repo. Not only is this more sensible in general, but it
will help anybody who is negatively affected by change
(1) negatively (e.g., if they had "foo.git" next to its
separate work tree "foo", and expect to keep finding
"foo.git" when they reference "foo").
3. The enter_repo code path would, given "foo", look for
"foo.git/.git" (i.e., do the ".git" append magic even
for a repo with working tree). The clone code path did
not; with this patch, they now behave the same.
In the unlikely case of a working tree overlaying a bare
repo (i.e., a ".git" directory _inside_ a bare repo), we
continue to treat it as a working tree (prefering the
"inner" .git over the bare repo). This is mainly because the
combination seems nonsensical, and I'd rather stick with
existing behavior on the off chance that somebody is relying
on it.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-02-02 22:59:13 +01:00
|
|
|
"/.git", "", ".git/.git", ".git", NULL,
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
};
|
2011-10-04 22:05:17 +02:00
|
|
|
const char *gitfile;
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
int len = strlen(path);
|
|
|
|
int i;
|
2011-10-04 22:02:00 +02:00
|
|
|
while ((1 < len) && (path[len-1] == '/'))
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
len--;
|
2011-10-04 22:02:00 +02:00
|
|
|
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
if (PATH_MAX <= len)
|
2005-11-17 20:37:14 +01:00
|
|
|
return NULL;
|
2011-10-04 22:02:00 +02:00
|
|
|
strncpy(used_path, path, len); used_path[len] = 0 ;
|
|
|
|
strcpy(validated_path, used_path);
|
|
|
|
|
|
|
|
if (used_path[0] == '~') {
|
|
|
|
char *newpath = expand_user_path(used_path);
|
2009-11-17 18:24:25 +01:00
|
|
|
if (!newpath || (PATH_MAX - 10 < strlen(newpath))) {
|
|
|
|
free(newpath);
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
return NULL;
|
2009-11-17 18:24:25 +01:00
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Copy back into the static buffer. A pity
|
|
|
|
* since newpath was not bounded, but other
|
|
|
|
* branches of the if are limited by PATH_MAX
|
|
|
|
* anyway.
|
|
|
|
*/
|
|
|
|
strcpy(used_path, newpath); free(newpath);
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
}
|
|
|
|
else if (PATH_MAX - 10 < len)
|
|
|
|
return NULL;
|
2011-10-04 22:02:00 +02:00
|
|
|
len = strlen(used_path);
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
for (i = 0; suffix[i]; i++) {
|
standardize and improve lookup rules for external local repos
When you specify a local repository on the command line of
clone, ls-remote, upload-pack, receive-pack, or upload-archive,
or in a request to git-daemon, we perform a little bit of
lookup magic, doing things like looking in working trees for
.git directories and appending ".git" for bare repos.
For clone, this magic happens in get_repo_path. For
everything else, it happens in enter_repo. In both cases,
there are some ambiguous or confusing cases that aren't
handled well, and there is one case that is not handled the
same by both methods.
This patch tries to provide (and test!) standard, sensible
lookup rules for both code paths. The intended changes are:
1. When looking up "foo", we have always preferred
a working tree "foo" (containing "foo/.git" over the
bare "foo.git". But we did not prefer a bare "foo" over
"foo.git". With this patch, we do so.
2. We would select directories that existed but didn't
actually look like git repositories. With this patch,
we make sure a selected directory looks like a git
repo. Not only is this more sensible in general, but it
will help anybody who is negatively affected by change
(1) negatively (e.g., if they had "foo.git" next to its
separate work tree "foo", and expect to keep finding
"foo.git" when they reference "foo").
3. The enter_repo code path would, given "foo", look for
"foo.git/.git" (i.e., do the ".git" append magic even
for a repo with working tree). The clone code path did
not; with this patch, they now behave the same.
In the unlikely case of a working tree overlaying a bare
repo (i.e., a ".git" directory _inside_ a bare repo), we
continue to treat it as a working tree (prefering the
"inner" .git over the bare repo). This is mainly because the
combination seems nonsensical, and I'd rather stick with
existing behavior on the off chance that somebody is relying
on it.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-02-02 22:59:13 +01:00
|
|
|
struct stat st;
|
2011-10-04 22:02:00 +02:00
|
|
|
strcpy(used_path + len, suffix[i]);
|
standardize and improve lookup rules for external local repos
When you specify a local repository on the command line of
clone, ls-remote, upload-pack, receive-pack, or upload-archive,
or in a request to git-daemon, we perform a little bit of
lookup magic, doing things like looking in working trees for
.git directories and appending ".git" for bare repos.
For clone, this magic happens in get_repo_path. For
everything else, it happens in enter_repo. In both cases,
there are some ambiguous or confusing cases that aren't
handled well, and there is one case that is not handled the
same by both methods.
This patch tries to provide (and test!) standard, sensible
lookup rules for both code paths. The intended changes are:
1. When looking up "foo", we have always preferred
a working tree "foo" (containing "foo/.git" over the
bare "foo.git". But we did not prefer a bare "foo" over
"foo.git". With this patch, we do so.
2. We would select directories that existed but didn't
actually look like git repositories. With this patch,
we make sure a selected directory looks like a git
repo. Not only is this more sensible in general, but it
will help anybody who is negatively affected by change
(1) negatively (e.g., if they had "foo.git" next to its
separate work tree "foo", and expect to keep finding
"foo.git" when they reference "foo").
3. The enter_repo code path would, given "foo", look for
"foo.git/.git" (i.e., do the ".git" append magic even
for a repo with working tree). The clone code path did
not; with this patch, they now behave the same.
In the unlikely case of a working tree overlaying a bare
repo (i.e., a ".git" directory _inside_ a bare repo), we
continue to treat it as a working tree (prefering the
"inner" .git over the bare repo). This is mainly because the
combination seems nonsensical, and I'd rather stick with
existing behavior on the off chance that somebody is relying
on it.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-02-02 22:59:13 +01:00
|
|
|
if (!stat(used_path, &st) &&
|
|
|
|
(S_ISREG(st.st_mode) ||
|
|
|
|
(S_ISDIR(st.st_mode) && is_git_directory(used_path)))) {
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
strcat(validated_path, suffix[i]);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2011-10-04 22:05:17 +02:00
|
|
|
if (!suffix[i])
|
|
|
|
return NULL;
|
|
|
|
gitfile = read_gitfile(used_path) ;
|
|
|
|
if (gitfile)
|
|
|
|
strcpy(used_path, gitfile);
|
|
|
|
if (chdir(used_path))
|
2005-11-18 23:59:34 +01:00
|
|
|
return NULL;
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
path = validated_path;
|
2005-11-18 23:59:34 +01:00
|
|
|
}
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
else if (chdir(path))
|
|
|
|
return NULL;
|
2005-11-17 20:37:14 +01:00
|
|
|
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
if (access("objects", X_OK) == 0 && access("refs", X_OK) == 0 &&
|
2007-01-02 08:31:08 +01:00
|
|
|
validate_headref("HEAD") == 0) {
|
2010-02-06 10:35:19 +01:00
|
|
|
set_git_dir(".");
|
2005-11-25 19:48:26 +01:00
|
|
|
check_repository_format();
|
[PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).
Unfortunately, it did not go well as we hoped.
For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons. Being able to keep using
/pub/scm as the whitelist is a desirable property.
So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name. When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).
What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob". And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc. The whole point of this is to avoid
unnecessary aliasing issues.
Anyway, because of this, daemon needs to do a bit more work to
guard itself. Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end. I resurrected the
belts and suspender paranoia code HPA did for this purpose.
This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 10:45:57 +01:00
|
|
|
return path;
|
2005-11-17 20:37:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
2006-06-10 07:07:23 +02:00
|
|
|
|
2013-03-30 10:53:47 +01:00
|
|
|
static int calc_shared_perm(int mode)
|
2006-06-10 07:07:23 +02:00
|
|
|
{
|
2013-03-30 10:53:47 +01:00
|
|
|
int tweak;
|
2006-06-10 07:07:23 +02:00
|
|
|
|
2009-03-26 00:19:36 +01:00
|
|
|
if (shared_repository < 0)
|
2013-03-30 10:53:47 +01:00
|
|
|
tweak = -shared_repository;
|
2009-03-26 00:19:36 +01:00
|
|
|
else
|
2013-03-30 10:53:47 +01:00
|
|
|
tweak = shared_repository;
|
2009-03-26 00:19:36 +01:00
|
|
|
|
|
|
|
if (!(mode & S_IWUSR))
|
|
|
|
tweak &= ~0222;
|
|
|
|
if (mode & S_IXUSR)
|
|
|
|
/* Copy read bits to execute bits */
|
|
|
|
tweak |= (tweak & 0444) >> 2;
|
|
|
|
if (shared_repository < 0)
|
|
|
|
mode = (mode & ~0777) | tweak;
|
|
|
|
else
|
2008-07-12 03:15:03 +02:00
|
|
|
mode |= tweak;
|
2008-04-16 10:34:24 +02:00
|
|
|
|
2013-03-30 10:53:47 +01:00
|
|
|
return mode;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int adjust_shared_perm(const char *path)
|
|
|
|
{
|
|
|
|
int old_mode, new_mode;
|
|
|
|
|
|
|
|
if (!shared_repository)
|
|
|
|
return 0;
|
|
|
|
if (get_st_mode_bits(path, &old_mode) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
new_mode = calc_shared_perm(old_mode);
|
|
|
|
if (S_ISDIR(old_mode)) {
|
2008-04-16 10:34:24 +02:00
|
|
|
/* Copy read bits to execute bits */
|
2013-03-30 10:53:47 +01:00
|
|
|
new_mode |= (new_mode & 0444) >> 2;
|
|
|
|
new_mode |= FORCE_DIR_SET_GID;
|
2008-04-16 10:34:24 +02:00
|
|
|
}
|
|
|
|
|
2013-03-30 10:53:47 +01:00
|
|
|
if (((old_mode ^ new_mode) & ~S_IFMT) &&
|
|
|
|
chmod(path, (new_mode & ~S_IFMT)) < 0)
|
2006-06-10 07:07:23 +02:00
|
|
|
return -2;
|
|
|
|
return 0;
|
|
|
|
}
|
2007-08-01 02:28:59 +02:00
|
|
|
|
2013-06-25 17:53:43 +02:00
|
|
|
/*
|
|
|
|
* Give path as relative to prefix.
|
|
|
|
*
|
|
|
|
* The strbuf may or may not be used, so do not assume it contains the
|
|
|
|
* returned path.
|
|
|
|
*/
|
|
|
|
const char *relative_path(const char *in, const char *prefix,
|
|
|
|
struct strbuf *sb)
|
Make git_dir a path relative to work_tree in setup_work_tree()
Once we find the absolute paths for git_dir and work_tree, we can make
git_dir a relative path since we know pwd will be work_tree. This should
save the kernel some time traversing the path to work_tree all the time
if git_dir is inside work_tree.
Daniel's patch didn't apply for me as-is, so I recreated it with some
differences, and here are the numbers from ten runs each.
There is some IO for me - probably due to more-or-less random flushing of
the journal - so the variation is bigger than I'd like, but whatever:
Before:
real 0m8.135s
real 0m7.933s
real 0m8.080s
real 0m7.954s
real 0m7.949s
real 0m8.112s
real 0m7.934s
real 0m8.059s
real 0m7.979s
real 0m8.038s
After:
real 0m7.685s
real 0m7.968s
real 0m7.703s
real 0m7.850s
real 0m7.995s
real 0m7.817s
real 0m7.963s
real 0m7.955s
real 0m7.848s
real 0m7.969s
Now, going by "best of ten" (on the assumption that the longer numbers
are all due to IO), I'm saying a 7.933s -> 7.685s reduction, and it does
seem to be outside of the noise (ie the "after" case never broke 8s, while
the "before" case did so half the time).
So looks like about 3% to me.
Doing it for a slightly smaller test-case (just the "arch" subdirectory)
gets more stable numbers probably due to not filling the journal with
metadata updates, so we have:
Before:
real 0m1.633s
real 0m1.633s
real 0m1.633s
real 0m1.632s
real 0m1.632s
real 0m1.630s
real 0m1.634s
real 0m1.631s
real 0m1.632s
real 0m1.632s
After:
real 0m1.610s
real 0m1.609s
real 0m1.610s
real 0m1.608s
real 0m1.607s
real 0m1.610s
real 0m1.609s
real 0m1.611s
real 0m1.608s
real 0m1.611s
where I'ld just take the averages and say 1.632 vs 1.610, which is just
over 1% peformance improvement.
So it's not in the noise, but it's not as big as I initially thought and
measured.
(That said, it obviously depends on how deep the working directory path is
too, and whether it is behind NFS or something else that might need to
cause more work to look up).
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-06-19 21:34:06 +02:00
|
|
|
{
|
2013-06-25 17:53:43 +02:00
|
|
|
int in_len = in ? strlen(in) : 0;
|
|
|
|
int prefix_len = prefix ? strlen(prefix) : 0;
|
|
|
|
int in_off = 0;
|
|
|
|
int prefix_off = 0;
|
2010-01-22 04:05:19 +01:00
|
|
|
int i = 0, j = 0;
|
|
|
|
|
2013-06-25 17:53:43 +02:00
|
|
|
if (!in_len)
|
|
|
|
return "./";
|
|
|
|
else if (!prefix_len)
|
|
|
|
return in;
|
|
|
|
|
|
|
|
while (i < prefix_len && j < in_len && prefix[i] == in[j]) {
|
|
|
|
if (is_dir_sep(prefix[i])) {
|
|
|
|
while (is_dir_sep(prefix[i]))
|
2010-01-22 04:05:19 +01:00
|
|
|
i++;
|
2013-06-25 17:53:43 +02:00
|
|
|
while (is_dir_sep(in[j]))
|
|
|
|
j++;
|
|
|
|
prefix_off = i;
|
|
|
|
in_off = j;
|
|
|
|
} else {
|
|
|
|
i++;
|
|
|
|
j++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (
|
|
|
|
/* "prefix" seems like prefix of "in" */
|
|
|
|
i >= prefix_len &&
|
|
|
|
/*
|
|
|
|
* but "/foo" is not a prefix of "/foobar"
|
|
|
|
* (i.e. prefix not end with '/')
|
|
|
|
*/
|
|
|
|
prefix_off < prefix_len) {
|
|
|
|
if (j >= in_len) {
|
|
|
|
/* in="/a/b", prefix="/a/b" */
|
|
|
|
in_off = in_len;
|
|
|
|
} else if (is_dir_sep(in[j])) {
|
|
|
|
/* in="/a/b/c", prefix="/a/b" */
|
|
|
|
while (is_dir_sep(in[j]))
|
2010-01-22 04:05:19 +01:00
|
|
|
j++;
|
2013-06-25 17:53:43 +02:00
|
|
|
in_off = j;
|
|
|
|
} else {
|
|
|
|
/* in="/a/bbb/c", prefix="/a/b" */
|
|
|
|
i = prefix_off;
|
|
|
|
}
|
|
|
|
} else if (
|
|
|
|
/* "in" is short than "prefix" */
|
|
|
|
j >= in_len &&
|
|
|
|
/* "in" not end with '/' */
|
|
|
|
in_off < in_len) {
|
|
|
|
if (is_dir_sep(prefix[i])) {
|
|
|
|
/* in="/a/b", prefix="/a/b/c/" */
|
|
|
|
while (is_dir_sep(prefix[i]))
|
|
|
|
i++;
|
|
|
|
in_off = in_len;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
in += in_off;
|
|
|
|
in_len -= in_off;
|
|
|
|
|
|
|
|
if (i >= prefix_len) {
|
|
|
|
if (!in_len)
|
|
|
|
return "./";
|
|
|
|
else
|
|
|
|
return in;
|
|
|
|
}
|
|
|
|
|
|
|
|
strbuf_reset(sb);
|
|
|
|
strbuf_grow(sb, in_len);
|
|
|
|
|
|
|
|
while (i < prefix_len) {
|
|
|
|
if (is_dir_sep(prefix[i])) {
|
|
|
|
strbuf_addstr(sb, "../");
|
|
|
|
while (is_dir_sep(prefix[i]))
|
|
|
|
i++;
|
2010-01-22 04:05:19 +01:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
i++;
|
|
|
|
}
|
2013-06-25 17:53:43 +02:00
|
|
|
if (!is_dir_sep(prefix[prefix_len - 1]))
|
|
|
|
strbuf_addstr(sb, "../");
|
|
|
|
|
|
|
|
strbuf_addstr(sb, in);
|
|
|
|
|
|
|
|
return sb->buf;
|
Make git_dir a path relative to work_tree in setup_work_tree()
Once we find the absolute paths for git_dir and work_tree, we can make
git_dir a relative path since we know pwd will be work_tree. This should
save the kernel some time traversing the path to work_tree all the time
if git_dir is inside work_tree.
Daniel's patch didn't apply for me as-is, so I recreated it with some
differences, and here are the numbers from ten runs each.
There is some IO for me - probably due to more-or-less random flushing of
the journal - so the variation is bigger than I'd like, but whatever:
Before:
real 0m8.135s
real 0m7.933s
real 0m8.080s
real 0m7.954s
real 0m7.949s
real 0m8.112s
real 0m7.934s
real 0m8.059s
real 0m7.979s
real 0m8.038s
After:
real 0m7.685s
real 0m7.968s
real 0m7.703s
real 0m7.850s
real 0m7.995s
real 0m7.817s
real 0m7.963s
real 0m7.955s
real 0m7.848s
real 0m7.969s
Now, going by "best of ten" (on the assumption that the longer numbers
are all due to IO), I'm saying a 7.933s -> 7.685s reduction, and it does
seem to be outside of the noise (ie the "after" case never broke 8s, while
the "before" case did so half the time).
So looks like about 3% to me.
Doing it for a slightly smaller test-case (just the "arch" subdirectory)
gets more stable numbers probably due to not filling the journal with
metadata updates, so we have:
Before:
real 0m1.633s
real 0m1.633s
real 0m1.633s
real 0m1.632s
real 0m1.632s
real 0m1.630s
real 0m1.634s
real 0m1.631s
real 0m1.632s
real 0m1.632s
After:
real 0m1.610s
real 0m1.609s
real 0m1.610s
real 0m1.608s
real 0m1.607s
real 0m1.610s
real 0m1.609s
real 0m1.611s
real 0m1.608s
real 0m1.611s
where I'ld just take the averages and say 1.632 vs 1.610, which is just
over 1% peformance improvement.
So it's not in the noise, but it's not as big as I initially thought and
measured.
(That said, it obviously depends on how deep the working directory path is
too, and whether it is behind NFS or something else that might need to
cause more work to look up).
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-06-19 21:34:06 +02:00
|
|
|
}
|
2008-05-20 08:48:54 +02:00
|
|
|
|
|
|
|
/*
|
2009-02-07 16:08:31 +01:00
|
|
|
* It is okay if dst == src, but they should not overlap otherwise.
|
2008-05-20 08:48:54 +02:00
|
|
|
*
|
2009-02-07 16:08:31 +01:00
|
|
|
* Performs the following normalizations on src, storing the result in dst:
|
|
|
|
* - Ensures that components are separated by '/' (Windows only)
|
|
|
|
* - Squashes sequences of '/'.
|
2008-05-20 08:48:54 +02:00
|
|
|
* - Removes "." components.
|
|
|
|
* - Removes ".." components, and the components the precede them.
|
2009-02-07 16:08:31 +01:00
|
|
|
* Returns failure (non-zero) if a ".." component appears as first path
|
|
|
|
* component anytime during the normalization. Otherwise, returns success (0).
|
2008-05-20 08:48:54 +02:00
|
|
|
*
|
|
|
|
* Note that this function is purely textual. It does not follow symlinks,
|
|
|
|
* verify the existence of the path, or make any system calls.
|
|
|
|
*/
|
2009-02-07 16:08:28 +01:00
|
|
|
int normalize_path_copy(char *dst, const char *src)
|
2008-05-20 08:48:54 +02:00
|
|
|
{
|
2009-02-07 16:08:28 +01:00
|
|
|
char *dst0;
|
2008-05-20 08:48:54 +02:00
|
|
|
|
2009-02-07 16:08:28 +01:00
|
|
|
if (has_dos_drive_prefix(src)) {
|
|
|
|
*dst++ = *src++;
|
|
|
|
*dst++ = *src++;
|
2008-05-20 08:48:54 +02:00
|
|
|
}
|
2009-02-07 16:08:28 +01:00
|
|
|
dst0 = dst;
|
2008-05-20 08:48:54 +02:00
|
|
|
|
2009-02-07 16:08:28 +01:00
|
|
|
if (is_dir_sep(*src)) {
|
2008-05-20 08:48:54 +02:00
|
|
|
*dst++ = '/';
|
2009-02-07 16:08:28 +01:00
|
|
|
while (is_dir_sep(*src))
|
|
|
|
src++;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
char c = *src;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* A path component that begins with . could be
|
|
|
|
* special:
|
|
|
|
* (1) "." and ends -- ignore and terminate.
|
|
|
|
* (2) "./" -- ignore them, eat slash and continue.
|
|
|
|
* (3) ".." and ends -- strip one and terminate.
|
|
|
|
* (4) "../" -- strip one, eat slash and continue.
|
|
|
|
*/
|
|
|
|
if (c == '.') {
|
|
|
|
if (!src[1]) {
|
|
|
|
/* (1) */
|
|
|
|
src++;
|
|
|
|
} else if (is_dir_sep(src[1])) {
|
|
|
|
/* (2) */
|
|
|
|
src += 2;
|
|
|
|
while (is_dir_sep(*src))
|
|
|
|
src++;
|
|
|
|
continue;
|
|
|
|
} else if (src[1] == '.') {
|
|
|
|
if (!src[2]) {
|
|
|
|
/* (3) */
|
|
|
|
src += 2;
|
|
|
|
goto up_one;
|
|
|
|
} else if (is_dir_sep(src[2])) {
|
|
|
|
/* (4) */
|
|
|
|
src += 3;
|
|
|
|
while (is_dir_sep(*src))
|
|
|
|
src++;
|
|
|
|
goto up_one;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2008-05-20 08:48:54 +02:00
|
|
|
|
2009-02-07 16:08:28 +01:00
|
|
|
/* copy up to the next '/', and eat all '/' */
|
|
|
|
while ((c = *src++) != '\0' && !is_dir_sep(c))
|
|
|
|
*dst++ = c;
|
|
|
|
if (is_dir_sep(c)) {
|
|
|
|
*dst++ = '/';
|
|
|
|
while (is_dir_sep(c))
|
|
|
|
c = *src++;
|
|
|
|
src--;
|
|
|
|
} else if (!c)
|
|
|
|
break;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
up_one:
|
|
|
|
/*
|
|
|
|
* dst0..dst is prefix portion, and dst[-1] is '/';
|
|
|
|
* go up one level.
|
|
|
|
*/
|
2009-02-07 16:08:30 +01:00
|
|
|
dst--; /* go to trailing '/' */
|
|
|
|
if (dst <= dst0)
|
2009-02-07 16:08:28 +01:00
|
|
|
return -1;
|
2009-02-07 16:08:30 +01:00
|
|
|
/* Windows: dst[-1] cannot be backslash anymore */
|
|
|
|
while (dst0 < dst && dst[-1] != '/')
|
|
|
|
dst--;
|
2009-02-07 16:08:28 +01:00
|
|
|
}
|
2008-05-20 08:48:54 +02:00
|
|
|
*dst = '\0';
|
2009-02-07 16:08:28 +01:00
|
|
|
return 0;
|
2008-05-20 08:48:54 +02:00
|
|
|
}
|
2008-05-20 08:49:26 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* path = Canonical absolute path
|
2012-10-28 17:16:25 +01:00
|
|
|
* prefixes = string_list containing normalized, absolute paths without
|
|
|
|
* trailing slashes (except for the root directory, which is denoted by "/").
|
2008-05-20 08:49:26 +02:00
|
|
|
*
|
2012-10-28 17:16:25 +01:00
|
|
|
* Determines, for each path in prefixes, whether the "prefix"
|
2008-05-20 08:49:26 +02:00
|
|
|
* is an ancestor directory of path. Returns the length of the longest
|
|
|
|
* ancestor directory, excluding any trailing slashes, or -1 if no prefix
|
2012-10-28 17:16:24 +01:00
|
|
|
* is an ancestor. (Note that this means 0 is returned if prefixes is
|
|
|
|
* ["/"].) "/foo" is not considered an ancestor of "/foobar". Directories
|
2008-05-20 08:49:26 +02:00
|
|
|
* are not considered to be their own ancestors. path must be in a
|
|
|
|
* canonical form: empty components, or "." or ".." components are not
|
2012-10-28 17:16:25 +01:00
|
|
|
* allowed.
|
2008-05-20 08:49:26 +02:00
|
|
|
*/
|
2012-10-28 17:16:24 +01:00
|
|
|
int longest_ancestor_length(const char *path, struct string_list *prefixes)
|
2008-05-20 08:49:26 +02:00
|
|
|
{
|
2012-10-28 17:16:23 +01:00
|
|
|
int i, max_len = -1;
|
2008-05-20 08:49:26 +02:00
|
|
|
|
2012-10-28 17:16:24 +01:00
|
|
|
if (!strcmp(path, "/"))
|
2008-05-20 08:49:26 +02:00
|
|
|
return -1;
|
|
|
|
|
2012-10-28 17:16:24 +01:00
|
|
|
for (i = 0; i < prefixes->nr; i++) {
|
|
|
|
const char *ceil = prefixes->items[i].string;
|
2012-10-28 17:16:23 +01:00
|
|
|
int len = strlen(ceil);
|
|
|
|
|
2012-10-28 17:16:25 +01:00
|
|
|
if (len == 1 && ceil[0] == '/')
|
|
|
|
len = 0; /* root matches anything, with length 0 */
|
|
|
|
else if (!strncmp(path, ceil, len) && path[len] == '/')
|
|
|
|
; /* match of length len */
|
|
|
|
else
|
|
|
|
continue; /* no match */
|
2008-05-20 08:49:26 +02:00
|
|
|
|
2012-10-28 17:16:25 +01:00
|
|
|
if (len > max_len)
|
2008-05-20 08:49:26 +02:00
|
|
|
max_len = len;
|
|
|
|
}
|
|
|
|
|
|
|
|
return max_len;
|
|
|
|
}
|
2009-02-19 20:10:49 +01:00
|
|
|
|
|
|
|
/* strip arbitrary amount of directory separators at end of path */
|
|
|
|
static inline int chomp_trailing_dir_sep(const char *path, int len)
|
|
|
|
{
|
|
|
|
while (len && is_dir_sep(path[len - 1]))
|
|
|
|
len--;
|
|
|
|
return len;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If path ends with suffix (complete path components), returns the
|
|
|
|
* part before suffix (sans trailing directory separators).
|
|
|
|
* Otherwise returns NULL.
|
|
|
|
*/
|
|
|
|
char *strip_path_suffix(const char *path, const char *suffix)
|
|
|
|
{
|
|
|
|
int path_len = strlen(path), suffix_len = strlen(suffix);
|
|
|
|
|
|
|
|
while (suffix_len) {
|
|
|
|
if (!path_len)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (is_dir_sep(path[path_len - 1])) {
|
|
|
|
if (!is_dir_sep(suffix[suffix_len - 1]))
|
|
|
|
return NULL;
|
|
|
|
path_len = chomp_trailing_dir_sep(path, path_len);
|
|
|
|
suffix_len = chomp_trailing_dir_sep(suffix, suffix_len);
|
|
|
|
}
|
|
|
|
else if (path[--path_len] != suffix[--suffix_len])
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (path_len && !is_dir_sep(path[path_len - 1]))
|
|
|
|
return NULL;
|
|
|
|
return xstrndup(path, chomp_trailing_dir_sep(path, path_len));
|
|
|
|
}
|
2009-11-09 20:26:43 +01:00
|
|
|
|
|
|
|
int daemon_avoid_alias(const char *p)
|
|
|
|
{
|
|
|
|
int sl, ndot;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This resurrects the belts and suspenders paranoia check by HPA
|
|
|
|
* done in <435560F7.4080006@zytor.com> thread, now enter_repo()
|
2010-02-04 06:23:18 +01:00
|
|
|
* does not do getcwd() based path canonicalization.
|
2009-11-09 20:26:43 +01:00
|
|
|
*
|
|
|
|
* sl becomes true immediately after seeing '/' and continues to
|
|
|
|
* be true as long as dots continue after that without intervening
|
|
|
|
* non-dot character.
|
|
|
|
*/
|
|
|
|
if (!p || (*p != '/' && *p != '~'))
|
|
|
|
return -1;
|
|
|
|
sl = 1; ndot = 0;
|
|
|
|
p++;
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
char ch = *p++;
|
|
|
|
if (sl) {
|
|
|
|
if (ch == '.')
|
|
|
|
ndot++;
|
|
|
|
else if (ch == '/') {
|
|
|
|
if (ndot < 3)
|
|
|
|
/* reject //, /./ and /../ */
|
|
|
|
return -1;
|
|
|
|
ndot = 0;
|
|
|
|
}
|
|
|
|
else if (ch == 0) {
|
|
|
|
if (0 < ndot && ndot < 3)
|
|
|
|
/* reject /.$ and /..$ */
|
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
sl = ndot = 0;
|
|
|
|
}
|
|
|
|
else if (ch == 0)
|
|
|
|
return 0;
|
|
|
|
else if (ch == '/') {
|
|
|
|
sl = 1;
|
|
|
|
ndot = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2010-02-16 06:22:08 +01:00
|
|
|
|
|
|
|
int offset_1st_component(const char *path)
|
|
|
|
{
|
|
|
|
if (has_dos_drive_prefix(path))
|
|
|
|
return 2 + is_dir_sep(path[2]);
|
|
|
|
return is_dir_sep(path[0]);
|
|
|
|
}
|