diff options
author | H. Peter Anvin <hpa@zytor.com> | 2005-10-19 14:27:01 -0700 |
---|---|---|
committer | Junio C Hamano <junkio@cox.net> | 2005-10-19 14:27:01 -0700 |
commit | 960deccb26a5bee6c6cd63d50e8272f540a27b19 (patch) | |
tree | a5921439da568a46cbb9db25e3d2fa6403167a56 /daemon.c | |
parent | f8765797a41a39f4dfc7030098c38283e6461a83 (diff) | |
download | git-960deccb26a5bee6c6cd63d50e8272f540a27b19.tar.gz git-960deccb26a5bee6c6cd63d50e8272f540a27b19.tar.xz |
git-daemon: timeout, eliminate double DWIM
It turns out that not only did git-daemon do DWIM, but git-upload-pack
does as well. This is bad; security checks have to be performed *after*
canonicalization, not before.
Additionally, the current git-daemon can be trivially DoSed by spewing
SYNs at the target port.
This patch adds a --strict option to git-upload-pack to disable all
DWIM, a --timeout option to git-daemon and git-upload-pack, and an
--init-timeout option to git-daemon (which is typically set to a much
lower value, since the initial request should come immediately from the
client.)
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
Diffstat (limited to 'daemon.c')
-rw-r--r-- | daemon.c | 21 |
1 files changed, 19 insertions, 2 deletions
@@ -13,7 +13,9 @@ static int log_syslog; static int verbose; -static const char daemon_usage[] = "git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all] [directory...]"; +static const char daemon_usage[] = +"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n" +" [--timeout=n] [--init-timeout=n] [directory...]"; /* List of acceptable pathname prefixes */ static char **ok_paths = NULL; @@ -21,6 +23,9 @@ static char **ok_paths = NULL; /* If this is set, git-daemon-export-ok is not required */ static int export_all_trees = 0; +/* Timeout, and initial timeout */ +static unsigned int timeout = 0; +static unsigned int init_timeout = 0; static void logreport(int priority, const char *err, va_list params) { @@ -170,6 +175,8 @@ static int upload(char *dir) /* Enough for the longest path above including final null */ int buflen = strlen(dir)+10; char *dirbuf = xmalloc(buflen); + /* Timeout as string */ + char timeout_buf[64]; loginfo("Request for '%s'", dir); @@ -190,8 +197,10 @@ static int upload(char *dir) */ signal(SIGTERM, SIG_IGN); + snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout); + /* git-upload-pack only ever reads stuff, so this is safe */ - execlp("git-upload-pack", "git-upload-pack", ".", NULL); + execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL); return -1; } @@ -200,7 +209,9 @@ static int execute(void) static char line[1000]; int len; + alarm(init_timeout ? init_timeout : timeout); len = packet_read_line(0, line, sizeof(line)); + alarm(0); if (len && line[len-1] == '\n') line[--len] = 0; @@ -598,6 +609,12 @@ int main(int argc, char **argv) export_all_trees = 1; continue; } + if (!strncmp(arg, "--timeout=", 10)) { + timeout = atoi(arg+10); + } + if (!strncmp(arg, "--init-timeout=", 10)) { + init_timeout = atoi(arg+15); + } if (!strcmp(arg, "--")) { ok_paths = &argv[i+1]; break; |