connect: reject dashed arguments for proxy commands

peff · dscho · commit e95d1a1ebd0c · 2017-08-09T22:52:12.000+02:00
If you have a GIT_PROXY_COMMAND configured, we will run it
with the host/port on the command-line. If a URL contains a
mischievous host like "--foo", we don't know how the proxy
command may handle it. It's likely to break, but it may also
do something dangerous and unwanted (technically it could
even do something useful, but that seems unlikely).

We should err on the side of caution and reject this before
we even run the command.

The hostname check matches the one we do in a similar
circumstance for ssh. The port check is not present for ssh,
but there it's not necessary because the syntax is "-p
&lt;port&gt;", and there's no ambiguity on the parsing side.

It's not clear whether you can actually get a negative port
to the proxy here or not. Doing:

  git fetch git://remote:-1234/repo.git

keeps the "-1234" as part of the hostname, with the default
port of 9418. But it's a good idea to keep this check close
to the point of running the command to make it clear that
there's no way to circumvent it (and at worst it serves as a
belt-and-suspenders check).

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Reviewed-by: Jonathan Nieder &lt;jrnieder@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/connect.c b/connect.c
@@ -577,6 +577,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)
 
 	get_host_and_port(&host, &port);
 
+	if (looks_like_command_line_option(host))
+		die("strange hostname '%s' blocked", host);
+	if (looks_like_command_line_option(port))
+		die("strange port '%s' blocked", port);
+
 	proxy = xmalloc(sizeof(*proxy));
 	child_process_init(proxy);
 	argv_array_push(&proxy->args, git_proxy_command);
diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh
@@ -43,4 +43,9 @@ test_expect_success 'fetch through proxy works' '
 	test_cmp expect actual
 '
 
+test_expect_success 'funny hostnames are rejected before running proxy' '
+	test_must_fail git fetch git://-remote/repo.git 2>stderr &&
+	! grep "proxying for" stderr
+'
+
 test_done

Original file line number	Diff line number	Diff line change
`@@ -43,4 +43,9 @@ test_expect_success 'fetch through proxy works' '`
`43`	`43`	`test_cmp expect actual`
`44`	`44`	`'`
`45`	`45`
	`46`	`+test_expect_success 'funny hostnames are rejected before running proxy' '`
	`47`	`+ test_must_fail git fetch git://-remote/repo.git 2>stderr &&`
	`48`	`+ ! grep "proxying for" stderr`
	`49`	`+'`
	`50`	`+`
`46`	`51`	`test_done`