Verify Content-Type from smart HTTP servers
Before parsing a suspected smart-HTTP response verify the returned Content-Type matches the standard. This protects a client from attempting to process a payload that smells like a smart-HTTP server response. JGit has been doing this check on all responses since the dawn of time. I mistakenly failed to include it in git-core when smart HTTP was introduced. At the time I didn't know how to get the Content-Type from libcurl. I punted, meant to circle back and fix this, and just plain forgot about it. Signed-off-by: Shawn Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:

committed by
Junio C Hamano

parent
e1b6ff44d6
commit
4656bf47fc
@ -1560,7 +1560,7 @@ static int remote_exists(const char *path)
|
||||
|
||||
sprintf(url, "%s%s", repo->url, path);
|
||||
|
||||
switch (http_get_strbuf(url, NULL, 0)) {
|
||||
switch (http_get_strbuf(url, NULL, NULL, 0)) {
|
||||
case HTTP_OK:
|
||||
ret = 1;
|
||||
break;
|
||||
@ -1584,7 +1584,7 @@ static void fetch_symref(const char *path, char **symref, unsigned char *sha1)
|
||||
url = xmalloc(strlen(repo->url) + strlen(path) + 1);
|
||||
sprintf(url, "%s%s", repo->url, path);
|
||||
|
||||
if (http_get_strbuf(url, &buffer, 0) != HTTP_OK)
|
||||
if (http_get_strbuf(url, NULL, &buffer, 0) != HTTP_OK)
|
||||
die("Couldn't get %s for remote symref\n%s", url,
|
||||
curl_errorstr);
|
||||
free(url);
|
||||
|
Reference in New Issue
Block a user