Merge tag 'v2.12.4' into maint

gitster · gitster · commit e312af164c12 · 2017-08-01T12:27:31.000-07:00
diff --git a/Documentation/RelNotes/2.10.4.txt b/Documentation/RelNotes/2.10.4.txt
@@ -0,0 +1,4 @@
+Git v2.10.4 Release Notes
+=========================
+
+This release forward-ports the fix for "ssh://..." URL from Git v2.7.6
diff --git a/Documentation/RelNotes/2.11.3.txt b/Documentation/RelNotes/2.11.3.txt
@@ -0,0 +1,4 @@
+Git v2.11.3 Release Notes
+=========================
+
+This release forward-ports the fix for "ssh://..." URL from Git v2.7.6
diff --git a/Documentation/RelNotes/2.12.4.txt b/Documentation/RelNotes/2.12.4.txt
@@ -0,0 +1,4 @@
+Git v2.12.4 Release Notes
+=========================
+
+This release forward-ports the fix for "ssh://..." URL from Git v2.7.6
diff --git a/Documentation/RelNotes/2.7.6.txt b/Documentation/RelNotes/2.7.6.txt
@@ -0,0 +1,25 @@
+Git v2.7.6 Release Notes
+========================
+
+Fixes since v2.7.5
+------------------
+
+ * A "ssh://..." URL can result in a "ssh" command line with a
+   hostname that begins with a dash "-", which would cause the "ssh"
+   command to instead (mis)treat it as an option.  This is now
+   prevented by forbidding such a hostname (which will not be
+   necessary in the real world).
+
+ * Similarly, when GIT_PROXY_COMMAND is configured, the command is
+   run with host and port that are parsed out from "ssh://..." URL;
+   a poorly written GIT_PROXY_COMMAND could be tricked into treating
+   a string that begins with a dash "-".  This is now prevented by
+   forbidding such a hostname and port number (again, which will not
+   be necessary in the real world).
+
+ * In the same spirit, a repository name that begins with a dash "-"
+   is also forbidden now.
+
+Credits go to Brian Neel at GitLab, Joern Schneeweisz of Recurity
+Labs and Jeff King at GitHub.
+
diff --git a/Documentation/RelNotes/2.8.6.txt b/Documentation/RelNotes/2.8.6.txt
@@ -0,0 +1,4 @@
+Git v2.8.6 Release Notes
+========================
+
+This release forward-ports the fix for "ssh://..." URL from Git v2.7.6
diff --git a/Documentation/RelNotes/2.9.5.txt b/Documentation/RelNotes/2.9.5.txt
@@ -0,0 +1,4 @@
+Git v2.9.5 Release Notes
+========================
+
+This release forward-ports the fix for "ssh://..." URL from Git v2.7.6
diff --git a/cache.h b/cache.h
@@ -1190,6 +1190,14 @@ char *strip_path_suffix(const char *path, const char *suffix);
 int daemon_avoid_alias(const char *path);
 extern int is_ntfs_dotgit(const char *name);
 
+/*
+ * Returns true iff "str" could be confused as a command-line option when
+ * passed to a sub-program like "ssh". Note that this has nothing to do with
+ * shell-quoting, which should be handled separately; we're assuming here that
+ * the string makes it verbatim to the sub-program.
+ */
+int looks_like_command_line_option(const char *str);
+
 /**
  * Return a newly allocated string with the evaluation of
  * "$XDG_CONFIG_HOME/git/$filename" if $XDG_CONFIG_HOME is non-empty, otherwise
diff --git a/connect.c b/connect.c
@@ -577,6 +577,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)
 
 	get_host_and_port(&host, &port);
 
+	if (looks_like_command_line_option(host))
+		die("strange hostname '%s' blocked", host);
+	if (looks_like_command_line_option(port))
+		die("strange port '%s' blocked", port);
+
 	proxy = xmalloc(sizeof(*proxy));
 	child_process_init(proxy);
 	argv_array_push(&proxy->args, git_proxy_command);
@@ -823,6 +828,9 @@ struct child_process *git_connect(int fd[2], const char *url,
 		conn = xmalloc(sizeof(*conn));
 		child_process_init(conn);
 
+		if (looks_like_command_line_option(path))
+			die("strange pathname '%s' blocked", path);
+
 		strbuf_addstr(&cmd, prog);
 		strbuf_addch(&cmd, ' ');
 		sq_quote_buf(&cmd, path);
@@ -856,6 +864,9 @@ struct child_process *git_connect(int fd[2], const char *url,
 				return NULL;
 			}
 
+			if (looks_like_command_line_option(ssh_host))
+				die("strange hostname '%s' blocked", ssh_host);
+
 			ssh = get_ssh_command();
 			if (ssh)
 				handle_ssh_variant(ssh, 1, &port_option,
diff --git a/path.c b/path.c
@@ -1241,6 +1241,11 @@ int is_ntfs_dotgit(const char *name)
 		}
 }
 
+int looks_like_command_line_option(const char *str)
+{
+	return str && str[0] == '-';
+}
+
 char *xdg_config_home(const char *filename)
 {
 	const char *home, *config_home;
diff --git a/t/lib-proto-disable.sh b/t/lib-proto-disable.sh
@@ -147,29 +147,33 @@ test_config () {
 	# Test clone/fetch/push with protocol.allow user defined default
 	test_expect_success "clone $desc (enabled)" '
 		rm -rf tmp.git &&
-		git config --global protocol.allow always &&
+		test_config_global protocol.allow always &&
 		git clone --bare "$url" tmp.git
 	'
 
 	test_expect_success "fetch $desc (enabled)" '
+		test_config_global protocol.allow always &&
 		git -C tmp.git fetch
 	'
 
 	test_expect_success "push $desc (enabled)" '
+		test_config_global protocol.allow always &&
 		git -C tmp.git push origin HEAD:pushed
 	'
 
 	test_expect_success "push $desc (disabled)" '
-		git config --global protocol.allow never &&
+		test_config_global protocol.allow never &&
 		test_must_fail git -C tmp.git push origin HEAD:pushed
 	'
 
 	test_expect_success "fetch $desc (disabled)" '
+		test_config_global protocol.allow never &&
 		test_must_fail git -C tmp.git fetch
 	'
 
 	test_expect_success "clone $desc (disabled)" '
 		rm -rf tmp.git &&
+		test_config_global protocol.allow never &&
 		test_must_fail git clone --bare "$url" tmp.git
 	'
 }
diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh
@@ -43,4 +43,9 @@ test_expect_success 'fetch through proxy works' '
 	test_cmp expect actual
 '
 
+test_expect_success 'funny hostnames are rejected before running proxy' '
+	test_must_fail git fetch git://-remote/repo.git 2>stderr &&
+	! grep "proxying for" stderr
+'
+
 test_done
diff --git a/t/t5810-proto-disable-local.sh b/t/t5810-proto-disable-local.sh
@@ -11,4 +11,27 @@ test_expect_success 'setup repository to clone' '
 test_proto "file://" file "file://$PWD"
 test_proto "path" file .
 
+test_expect_success 'setup repo with dash' '
+	git init --bare repo.git &&
+	git push repo.git HEAD &&
+	mv repo.git "$PWD/-repo.git"
+'
+
+# This will fail even without our rejection because upload-pack will
+# complain about the bogus option. So let's make sure that GIT_TRACE
+# doesn't show us even running upload-pack.
+#
+# We must also be sure to use "fetch" and not "clone" here, as the latter
+# actually canonicalizes our input into an absolute path (which is fine
+# to allow).
+test_expect_success 'repo names starting with dash are rejected' '
+	rm -f trace.out &&
+	test_must_fail env GIT_TRACE="$PWD/trace.out" git fetch -- -repo.git &&
+	! grep upload-pack trace.out
+'
+
+test_expect_success 'full paths still work' '
+	git fetch "$PWD/-repo.git"
+'
+
 test_done
diff --git a/t/t5813-proto-disable-ssh.sh b/t/t5813-proto-disable-ssh.sh
@@ -17,4 +17,27 @@ test_proto "host:path" ssh "remote:repo.git"
 test_proto "ssh://" ssh "ssh://remote$PWD/remote/repo.git"
 test_proto "git+ssh://" ssh "git+ssh://remote$PWD/remote/repo.git"
 
+# Don't even bother setting up a "-remote" directory, as ssh would generally
+# complain about the bogus option rather than completing our request. Our
+# fake wrapper actually _can_ handle this case, but it's more robust to
+# simply confirm from its output that it did not run at all.
+test_expect_success 'hostnames starting with dash are rejected' '
+	test_must_fail git clone ssh://-remote/repo.git dash-host 2>stderr &&
+	! grep ^ssh: stderr
+'
+
+test_expect_success 'setup repo with dash' '
+	git init --bare remote/-repo.git &&
+	git push remote/-repo.git HEAD
+'
+
+test_expect_success 'repo names starting with dash are rejected' '
+	test_must_fail git clone remote:-repo.git dash-path 2>stderr &&
+	! grep ^ssh: stderr
+'
+
+test_expect_success 'full paths still work' '
+	git clone "remote:$PWD/remote/-repo.git" dash-path
+'
+
 test_done

Original file line number	Diff line number	Diff line change
`@@ -1241,6 +1241,11 @@ int is_ntfs_dotgit(const char *name)`
`1241`	`1241`	`}`
`1242`	`1242`	`}`
`1243`	`1243`
	`1244`	`+int looks_like_command_line_option(const char *str)`
	`1245`	`+{`
	`1246`	`+ return str && str[0] == '-';`
	`1247`	`+}`
	`1248`	`+`
`1244`	`1249`	`char xdg_config_home(const char filename)`
`1245`	`1250`	`{`
`1246`	`1251`	`const char home, config_home;`
Original file line number	Diff line number	Diff line change
`@@ -147,29 +147,33 @@ test_config () {`
`147`	`147`	`# Test clone/fetch/push with protocol.allow user defined default`
`148`	`148`	`test_expect_success "clone $desc (enabled)" '`
`149`	`149`	`rm -rf tmp.git &&`
`150`		`- git config --global protocol.allow always &&`
	`150`	`+ test_config_global protocol.allow always &&`
`151`	`151`	`git clone --bare "$url" tmp.git`
`152`	`152`	`'`
`153`	`153`
`154`	`154`	`test_expect_success "fetch $desc (enabled)" '`
	`155`	`+ test_config_global protocol.allow always &&`
`155`	`156`	`git -C tmp.git fetch`
`156`	`157`	`'`
`157`	`158`
`158`	`159`	`test_expect_success "push $desc (enabled)" '`
	`160`	`+ test_config_global protocol.allow always &&`
`159`	`161`	`git -C tmp.git push origin HEAD:pushed`
`160`	`162`	`'`
`161`	`163`
`162`	`164`	`test_expect_success "push $desc (disabled)" '`
`163`		`- git config --global protocol.allow never &&`
	`165`	`+ test_config_global protocol.allow never &&`
`164`	`166`	`test_must_fail git -C tmp.git push origin HEAD:pushed`
`165`	`167`	`'`
`166`	`168`
`167`	`169`	`test_expect_success "fetch $desc (disabled)" '`
	`170`	`+ test_config_global protocol.allow never &&`
`168`	`171`	`test_must_fail git -C tmp.git fetch`
`169`	`172`	`'`
`170`	`173`
`171`	`174`	`test_expect_success "clone $desc (disabled)" '`
`172`	`175`	`rm -rf tmp.git &&`
	`176`	`+ test_config_global protocol.allow never &&`
`173`	`177`	`test_must_fail git clone --bare "$url" tmp.git`
`174`	`178`	`'`
`175`	`179`	`}`