1
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-11-09 02:33:11 +01:00
git/server-info.c

285 lines
5.7 KiB
C
Raw Normal View History

#include "cache.h"
#include "refs.h"
#include "object.h"
#include "commit.h"
#include "tag.h"
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
/*
* Create the file "path" by writing to a temporary file and renaming
* it into place. The contents of the file come from "generate", which
* should return non-zero if it encounters an error.
*/
static int update_info_file(char *path, int (*generate)(FILE *))
{
char *tmp = mkpathdup("%s_XXXXXX", path);
int ret = -1;
int fd = -1;
FILE *fp = NULL;
safe_create_leading_directories(path);
fd = git_mkstemp_mode(tmp, 0666);
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
if (fd < 0)
goto out;
fp = fdopen(fd, "w");
if (!fp)
goto out;
ret = generate(fp);
if (ret)
goto out;
if (fclose(fp))
goto out;
if (adjust_shared_perm(tmp) < 0)
goto out;
if (rename(tmp, path) < 0)
goto out;
ret = 0;
out:
if (ret) {
error("unable to update %s: %s", path, strerror(errno));
if (fp)
fclose(fp);
else if (fd >= 0)
close(fd);
unlink(tmp);
}
free(tmp);
return ret;
}
static int add_info_ref(const char *path, const unsigned char *sha1, int flag, void *cb_data)
{
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
FILE *fp = cb_data;
struct object *o = parse_object(sha1);
if (!o)
return -1;
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
if (fprintf(fp, "%s %s\n", sha1_to_hex(sha1), path) < 0)
return -1;
if (o->type == OBJ_TAG) {
o = deref_tag(o, path, 0);
if (o)
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
if (fprintf(fp, "%s %s^{}\n",
sha1_to_hex(o->sha1), path) < 0)
return -1;
}
return 0;
}
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
static int generate_info_refs(FILE *fp)
{
return for_each_ref(add_info_ref, fp);
}
static int update_info_refs(int force)
{
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
char *path = git_pathdup("info/refs");
int ret = update_info_file(path, generate_info_refs);
free(path);
return ret;
}
/* packs */
static struct pack_info {
struct packed_git *p;
int old_num;
int new_num;
int nr_alloc;
int nr_heads;
unsigned char (*head)[20];
} **info;
static int num_pack;
static const char *objdir;
static int objdirlen;
static struct pack_info *find_pack_by_name(const char *name)
{
int i;
for (i = 0; i < num_pack; i++) {
struct packed_git *p = info[i]->p;
/* skip "/pack/" after ".git/objects" */
if (!strcmp(p->pack_name + objdirlen + 6, name))
return info[i];
}
return NULL;
}
/* Returns non-zero when we detect that the info in the
* old file is useless.
*/
static int parse_pack_def(const char *line, int old_cnt)
{
struct pack_info *i = find_pack_by_name(line + 2);
if (i) {
i->old_num = old_cnt;
return 0;
}
else {
/* The file describes a pack that is no longer here */
return 1;
}
}
/* Returns non-zero when we detect that the info in the
* old file is useless.
*/
static int read_pack_info_file(const char *infofile)
{
FILE *fp;
char line[1000];
int old_cnt = 0;
fp = fopen(infofile, "r");
if (!fp)
return 1; /* nonexistent is not an error. */
while (fgets(line, sizeof(line), fp)) {
int len = strlen(line);
if (len && line[len-1] == '\n')
line[--len] = 0;
if (!len)
continue;
switch (line[0]) {
case 'P': /* P name */
if (parse_pack_def(line, old_cnt++))
goto out_stale;
break;
case 'D': /* we used to emit D but that was misguided. */
case 'T': /* we used to emit T but nobody uses it. */
goto out_stale;
default:
error("unrecognized: %s", line);
break;
}
}
fclose(fp);
return 0;
out_stale:
fclose(fp);
return 1;
}
static int compare_info(const void *a_, const void *b_)
{
struct pack_info *const *a = a_;
struct pack_info *const *b = b_;
if (0 <= (*a)->old_num && 0 <= (*b)->old_num)
/* Keep the order in the original */
return (*a)->old_num - (*b)->old_num;
else if (0 <= (*a)->old_num)
/* Only A existed in the original so B is obviously newer */
return -1;
else if (0 <= (*b)->old_num)
/* The other way around. */
return 1;
/* then it does not matter but at least keep the comparison stable */
if ((*a)->p == (*b)->p)
return 0;
else if ((*a)->p < (*b)->p)
return -1;
else
return 1;
}
static void init_pack_info(const char *infofile, int force)
{
struct packed_git *p;
int stale;
int i = 0;
objdir = get_object_directory();
objdirlen = strlen(objdir);
prepare_packed_git();
for (p = packed_git; p; p = p->next) {
/* we ignore things on alternate path since they are
* not available to the pullers in general.
*/
if (!p->pack_local)
continue;
i++;
}
num_pack = i;
info = xcalloc(num_pack, sizeof(struct pack_info *));
for (i = 0, p = packed_git; p; p = p->next) {
if (!p->pack_local)
continue;
info[i] = xcalloc(1, sizeof(struct pack_info));
info[i]->p = p;
info[i]->old_num = -1;
i++;
}
if (infofile && !force)
stale = read_pack_info_file(infofile);
else
stale = 1;
for (i = 0; i < num_pack; i++) {
if (stale) {
info[i]->old_num = -1;
info[i]->nr_heads = 0;
}
}
/* renumber them */
qsort(info, num_pack, sizeof(info[0]), compare_info);
for (i = 0; i < num_pack; i++)
info[i]->new_num = i;
}
static void free_pack_info(void)
{
int i;
for (i = 0; i < num_pack; i++)
free(info[i]);
free(info);
}
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
static int write_pack_info_file(FILE *fp)
{
int i;
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
for (i = 0; i < num_pack; i++) {
if (fprintf(fp, "P %s\n", info[i]->p->pack_name + objdirlen + 6) < 0)
return -1;
}
if (fputc('\n', fp) == EOF)
return -1;
return 0;
}
static int update_info_packs(int force)
{
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
char *infofile = mkpathdup("%s/info/packs", get_object_directory());
int ret;
init_pack_info(infofile, force);
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
ret = update_info_file(infofile, write_pack_info_file);
free_pack_info();
make update-server-info more robust Since "git update-server-info" may be called automatically as part of a push or a "gc --auto", we should be robust against two processes trying to update it simultaneously. However, we currently use a fixed tempfile, which means that two simultaneous writers may step on each other's toes and end up renaming junk into place. Let's instead switch to using a unique tempfile via mkstemp. We do not want to use a lockfile here, because it's OK for two writers to simultaneously update (one will "win" the rename race, but that's OK; they should be writing the same information). While we're there, let's clean up a few other things: 1. Detect write errors. Report them and abort the update if any are found. 2. Free path memory rather than leaking it (and clean up the tempfile when necessary). 3. Use the pathdup functions consistently rather than static buffers or manually calculated lengths. This last one fixes a potential overflow of "infofile" in update_info_packs (e.g., by putting large junk into $GIT_OBJECT_DIRECTORY). However, this overflow was probably not an interesting attack vector for two reasons: a. The attacker would need to control the environment to do this, in which case it was already game-over. b. During its setup phase, git checks that the directory actually exists, which means it is probably shorter than PATH_MAX anyway. Because both update_info_refs and update_info_packs share these same failings (and largely duplicate each other), this patch factors out the improved error-checking version into a helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 22:19:20 +02:00
free(infofile);
return ret;
}
/* public */
int update_server_info(int force)
{
/* We would add more dumb-server support files later,
* including index of available pack files and their
* intended audiences.
*/
int errs = 0;
errs = errs | update_info_refs(force);
errs = errs | update_info_packs(force);
/* remove leftover rev-cache file if there is any */
unlink_or_warn(git_path("info/rev-cache"));
return errs;
}