git-daemon support for user-relative paths.

Dropped a fair amount of reundant code in favour of the library code in path.c Added option --strict-paths with documentation, with backwards compatibility for whitelist entries with symlinks. Everything that worked earlier still works insofar as I have remembered testing it. Signed-off-by: Andreas Ericsson <ae@op5.se> Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-17 20:37:14 +01:00
parent aa7f412abf
commit 4dbd135279
3 changed files with 72 additions and 87 deletions
--- a/Documentation/git-daemon.txt
+++ b/Documentation/git-daemon.txt
@ -29,9 +29,15 @@ This is ideally suited for read-only updates, ie pulling from git repositories.
 OPTIONS
 -------
 +--strict-paths::
 	Match paths exactly (i.e. don't allow "/foo/repo" when the real path is
 	"/foo/repo.git" or "/foo/repo/.git") and don't do user-relative paths.
 	git-daemon will refuse to start when this option is enabled and no
 	whitelist is specified.
 --export-all::
 	Allow pulling from all directories that look like GIT repositories
-	(have the 'objects' subdirectory and a 'HEAD' file), even if they
+	(have the 'objects' and 'refs' subdirectories), even if they
 	do not have the 'git-daemon-export-ok' file.
 --inetd::
@ -57,9 +63,15 @@ OPTIONS
 --verbose::
 	Log details about the incoming connections and requested files.
 <directory>::
 	A directory to add to the whitelist of allowed directories. Unless
 	--strict-paths is specified this will also include subdirectories
 	of each named directory.
 Author
 ------
-Written by Linus Torvalds <torvalds@osdl.org> and YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Written by Linus Torvalds <torvalds@osdl.org>, YOSHIFUJI Hideaki
 <yoshfuji@linux-ipv6.org> and the git-list <git@vger.kernel.org>
 Documentation
 --------------
--- a/Documentation/pull-fetch-param.txt
+++ b/Documentation/pull-fetch-param.txt
@ -9,15 +9,16 @@
 - http://host.xz/path/to/repo.git/
 - https://host.xz/path/to/repo.git/
 - git://host.xz/path/to/repo.git/
 - git://host.xz/~user/path/to/repo.git/
 - ssh://host.xz/path/to/repo.git/
 - ssh://host.xz/~user/path/to/repo.git/
 - ssh://host.xz/~/path/to/repo.git
 ===============================================================
 +
 	SSH Is the default transport protocol and also supports an
-	scp-like syntax.  Both syntaxes support username expansion.
+	scp-like syntax.  Both syntaxes support username expansion,
-	The following three are identical to the last three above,
+	as does the native git protocol. The following three are
-	respectively:
+	identical to the last three above, respectively:
 +
 ===============================================================
 - host.xz:/path/to/repo.git/
--- a/daemon.c
+++ b/daemon.c
@ -15,10 +15,11 @@ static int verbose;
 static const char daemon_usage[] =
 "git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n"
-"           [--timeout=n] [--init-timeout=n] [directory...]";
+"           [--timeout=n] [--init-timeout=n] [--strict-paths] [directory...]";
 /* List of acceptable pathname prefixes */
 static char **ok_paths = NULL;
 static int strict_paths = 0;
 /* If this is set, git-daemon-export-ok is not required */
 static int export_all_trees = 0;
@ -81,69 +82,56 @@ static void loginfo(const char *err, ...)
 	va_end(params);
 }
-static int path_ok(const char *dir)
+static char *path_ok(char *dir)
 {
-	const char *p = dir;
+	char *path = enter_repo(dir, strict_paths);
 	char **pp;
 	int sl, ndot;
-	/* The pathname here should be an absolute path. */
+	if (!path) {
-	if ( *p++ != '/' )
+		logerror("'%s': unable to chdir or not a git archive", dir);
-		return 0;
+		return NULL;
 	sl = 1;  ndot = 0;
 	for (;;) {
 		if ( *p == '.' ) {
 			ndot++;
 		} else if ( *p == '\0' ) {
 			/* Reject "." and ".." at the end of the path */
 			if ( sl && ndot > 0 && ndot < 3 )
 				return 0;
 			/* Otherwise OK */
 			break;
 		} else if ( *p == '/' ) {
 			/* Refuse "", "." or ".." */
 			if ( sl && ndot < 3 )
 				return 0;
 			sl = 1;
 			ndot = 0;
 		} else {
 			sl = ndot = 0;
 		}
 		p++;
 	}
 	if ( ok_paths && *ok_paths ) {
-		int ok = 0;
+		char **pp = NULL;
 		int dirlen = strlen(dir);
 		int pathlen = strlen(path);
 		for ( pp = ok_paths ; *pp ; pp++ ) {
 			int len = strlen(*pp);
-			if ( len <= dirlen &&
+			/* because of symlinks we must match both what the
-			     !strncmp(*pp, dir, len) &&
+			 * user passed and the canonicalized path, otherwise
-			     (dir[len] == '/' || dir[len] == '\0') ) {
+			 * the user can send a string matching either a whitelist
-				ok = 1;
+			 * entry or an actual directory exactly and still not
-				break;
+			 * get through */
 			if (len <= pathlen && !memcmp(*pp, path, len)) {
 				if (path[len] == '\0' || (!strict_paths && path[len] == '/'))
 					return path;
 			}
 			if (len <= dirlen && !memcmp(*pp, dir, len)) {
 				if (dir[len] == '\0' || (!strict_paths && dir[len] == '/'))
 					return path;
 			}
 		}
 	}
 	else {
 		/* be backwards compatible */
 		if (!strict_paths)
 			return path;
 	}
-		if ( !ok )
+	logerror("'%s': not in whitelist", path);
-			return 0; /* Path not in whitelist */
+	return NULL;		/* Fallthrough. Deny by default */
 }
-	return 1;		/* Path acceptable */
+static int upload(char *dir)
 }
 static int set_dir(const char *dir)
 {
-	if (!path_ok(dir)) {
+	/* Timeout as string */
-		errno = EACCES;
+	char timeout_buf[64];
-		return -1;
+	const char *path;
 	}
-	if ( chdir(dir) )
+	loginfo("Request for '%s'", dir);
 	if (!(path = path_ok(dir)))
 		return -1;
 	/*
@ -152,45 +140,17 @@ static int set_dir(const char *dir)
 	 * We want a readable HEAD, usable "objects" directory, and
 	 * a "git-daemon-export-ok" flag that says that the other side
 	 * is ok with us doing this.
 	 *
 	 * path_ok() uses enter_repo() and does whitelist checking.
 	 * We only need to make sure the repository is exported.
 	 */
 	if (!export_all_trees && access("git-daemon-export-ok", F_OK)) {
 		logerror("'%s': repository not exported.", path);
 		errno = EACCES;
 		return -1;
 	}
 	if (access("objects/", X_OK) || access("HEAD", R_OK)) {
 		errno = EINVAL;
 		return -1;
 	}
 	/* If all this passed, we're OK */
 	return 0;
 }
 static int upload(char *dir)
 {
 	/* Try paths in this order */
 	static const char *paths[] = { "%s", "%s/.git", "%s.git", "%s.git/.git", NULL };
 	const char **pp;
 	/* Enough for the longest path above including final null */
 	int buflen = strlen(dir)+10;
 	char *dirbuf = xmalloc(buflen);
 	/* Timeout as string */
 	char timeout_buf[64];
 	loginfo("Request for '%s'", dir);
 	for ( pp = paths ; *pp ; pp++ ) {
 		snprintf(dirbuf, buflen, *pp, dir);
 		if ( !set_dir(dirbuf) )
 			break;
 	}
 	if ( !*pp ) {
 		logerror("Cannot set directory '%s': %s", dir, strerror(errno));
 		return -1;
 	}
 	/*
 	 * We'll ignore SIGTERM from now on, we have a
 	 * good client.
@ -200,7 +160,7 @@ static int upload(char *dir)
 	snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout);
 	/* git-upload-pack only ever reads stuff, so this is safe */
-	execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL);
+	execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, path, NULL);
 	return -1;
 }
@ -216,7 +176,7 @@ static int execute(void)
 	if (len && line[len-1] == '\n')
 		line[--len] = 0;
-	if (!strncmp("git-upload-pack /", line, 17))
+	if (!strncmp("git-upload-pack ", line, 16))
 		return upload(line+16);
 	logerror("Protocol error: '%s'", line);
@ -617,6 +577,10 @@ int main(int argc, char **argv)
 			init_timeout = atoi(arg+15);
 			continue;
 		}
 		if (!strcmp(arg, "--strict-paths")) {
 			strict_paths = 1;
 			continue;
 		}
 		if (!strcmp(arg, "--")) {
 			ok_paths = &argv[i+1];
 			break;
@ -631,6 +595,14 @@ int main(int argc, char **argv)
 	if (log_syslog)
 		openlog("git-daemon", 0, LOG_DAEMON);
 	if (strict_paths && (!ok_paths || !*ok_paths)) {
 		if (!inetd_mode)
 			die("git-daemon: option --strict-paths requires a whitelist");
 		logerror("option --strict-paths requires a whitelist");
 		exit (1);
 	}
 	if (inetd_mode) {
 		fclose(stderr); //FIXME: workaround
 		return execute();