aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2017-07-28 15:26:50 -0400
committerJunio C Hamano <gitster@pobox.com>2017-07-28 15:52:18 -0700
commit3be4cf09cd3d0747af3ecdb8dc3962a0969b731e (patch)
tree1bc7773276b260a31f29bb335c6ce97f5632f6f4
parent2491f77b90c2e5d47acbe7472c17e7de0af74f63 (diff)
downloadgit-3be4cf09cd3d0747af3ecdb8dc3962a0969b731e.tar.gz
git-3be4cf09cd3d0747af3ecdb8dc3962a0969b731e.tar.xz
connect: reject dashed arguments for proxy commands
If you have a GIT_PROXY_COMMAND configured, we will run it with the host/port on the command-line. If a URL contains a mischievous host like "--foo", we don't know how the proxy command may handle it. It's likely to break, but it may also do something dangerous and unwanted (technically it could even do something useful, but that seems unlikely). We should err on the side of caution and reject this before we even run the command. The hostname check matches the one we do in a similar circumstance for ssh. The port check is not present for ssh, but there it's not necessary because the syntax is "-p <port>", and there's no ambiguity on the parsing side. It's not clear whether you can actually get a negative port to the proxy here or not. Doing: git fetch git://remote:-1234/repo.git keeps the "-1234" as part of the hostname, with the default port of 9418. But it's a good idea to keep this check close to the point of running the command to make it clear that there's no way to circumvent it (and at worst it serves as a belt-and-suspenders check). Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--connect.c5
-rwxr-xr-xt/t5532-fetch-proxy.sh5
2 files changed, 10 insertions, 0 deletions
diff --git a/connect.c b/connect.c
index a0091acb1..bdf2ca08a 100644
--- a/connect.c
+++ b/connect.c
@@ -553,6 +553,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)
get_host_and_port(&host, &port);
+ if (looks_like_command_line_option(host))
+ die("strange hostname '%s' blocked", host);
+ if (looks_like_command_line_option(port))
+ die("strange port '%s' blocked", port);
+
proxy = xmalloc(sizeof(*proxy));
child_process_init(proxy);
argv_array_push(&proxy->args, git_proxy_command);
diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh
index 5531bd1af..d3b2651b6 100755
--- a/t/t5532-fetch-proxy.sh
+++ b/t/t5532-fetch-proxy.sh
@@ -40,4 +40,9 @@ test_expect_success 'fetch through proxy works' '
test_cmp expect actual
'
+test_expect_success 'funny hostnames are rejected before running proxy' '
+ test_must_fail git fetch git://-remote/repo.git 2>stderr &&
+ ! grep "proxying for" stderr
+'
+
test_done