connect: reject ssh hostname that begins with a dash

When commands like "git fetch" talk with ssh://$rest_of_URL/, the
code splits $rest_of_URL into components like host, port, etc., and
then spawns the underlying "ssh" program by formulating argv[] array
that has:

 - the path to ssh command taken from GIT_SSH_COMMAND, etc.

 - dashed options like '-batch' (for Tortoise), '-p <port>' as
   needed.

 - ssh_host, which is supposed to be the hostname parsed out of
   $rest_of_URL.

 - then the command to be run on the other side, e.g. git
   upload-pack.

If the ssh_host ends up getting '-<anything>', the argv[] that is
used to spawn the command becomes something like:

    { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL }

which obviously is bogus, but depending on the actual value of
"<anything>", will make "ssh" parse and use it as an option.

Prevent this by forbidding ssh_host that begins with a "-".

[jes: adjustes lib-proto-disable.sh to unset proto.allow=never]

Noticed-by: Joern Schneeweisz of Recurity Labs
Reported-by: Brian at GitLab
Signed-off-by: Junio C Hamano <[email protected]>
Reviewed-by: Jeff King <[email protected]>
Signed-off-by: Junio C Hamano <[email protected]>
Signed-off-by: Johannes Schindelin <[email protected]>

Author: Junio C Hamano

connect.c

@@ -835,6 +835,9 @@ struct child_process *git_connect(int fd[2], const char *url,
 				return NULL;
 			}
 
+			if (ssh_host[0] == '-')
+				die("strange hostname '%s' blocked", ssh_host);
+
 			ssh = get_ssh_command();
 			if (ssh)
 				handle_ssh_variant(ssh, 1, &port_option,

t/lib-proto-disable.sh

@@ -172,6 +172,10 @@ test_config () {
 		rm -rf tmp.git &&
 		test_must_fail git clone --bare "$url" tmp.git
 	'
+
+	test_expect_success 'unset protocol.allow' '
+		git config --global --unset protocol.allow
+	'
 }
 
 # test cloning a particular protocol