From 54f4b87454824fedc629219620ce9b7cdcab3d27 Mon Sep 17 00:00:00 2001 From: Andreas Ericsson Date: Thu, 17 Nov 2005 20:37:14 +0100 Subject: Library code for user-relative paths, take three. This patch provides the work-horse of the user-relative paths feature, using Linus' idea of a blind chdir() and getcwd() which makes it remarkably simple. Signed-off-by: Andreas Ericsson Signed-off-by: Junio C Hamano --- path.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) (limited to 'path.c') diff --git a/path.c b/path.c index 495d17ca4..5b617092a 100644 --- a/path.c +++ b/path.c @@ -11,6 +11,7 @@ * which is what it's designed for. */ #include "cache.h" +#include static char pathname[PATH_MAX]; static char bad_path[] = "/bad-path/"; @@ -89,3 +90,74 @@ char *safe_strncpy(char *dest, const char *src, size_t n) return dest; } + +static char *current_dir() +{ + return getcwd(pathname, sizeof(pathname)); +} + +/* Take a raw path from is_git_repo() and canonicalize it using Linus' + * idea of a blind chdir() and getcwd(). */ +static const char *canonical_path(char *path, int strict) +{ + char *dir = path; + + if(strict && *dir != '/') + return NULL; + + if(*dir == '~') { /* user-relative path */ + struct passwd *pw; + char *slash = strchr(dir, '/'); + + dir++; + /* '~/' and '~' (no slash) means users own home-dir */ + if(!*dir || *dir == '/') + pw = getpwuid(getuid()); + else { + if (slash) { + *slash = '\0'; + pw = getpwnam(dir); + *slash = '/'; + } + else + pw = getpwnam(dir); + } + + /* make sure we got something back that we can chdir() to */ + if(!pw || chdir(pw->pw_dir) < 0) + return NULL; + + if(!slash || !slash[1]) /* no path following username */ + return current_dir(); + + dir = slash + 1; + } + + /* ~foo/path/to/repo is now path/to/repo and we're in foo's homedir */ + if(chdir(dir) < 0) + return NULL; + + return current_dir(); +} + +char *enter_repo(char *path, int strict) +{ + if(!path) + return NULL; + + if(!canonical_path(path, strict)) { + if(strict || !canonical_path(mkpath("%s.git", path), strict)) + return NULL; + } + + /* This is perfectly safe, and people tend to think of the directory + * where they ran git-init-db as their repository, so humour them. */ + (void)chdir(".git"); + + if(access("objects", X_OK) == 0 && access("refs", X_OK) == 0) { + putenv("GIT_DIR=."); + return current_dir(); + } + + return NULL; +} -- cgit v1.2.1 From 0870ca7fabe6f25095431280e480859f7c66e8ab Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 18 Nov 2005 14:59:34 -0800 Subject: Do not DWIM in userpath library under strict mode. This should force git-daemon administrator's job a bit harder because the exact paths need to be given in the whitelist, but at the same time makes the auditing easier. This moves validate_symref() from refs.c to path.c, because we need to link path.c with git-daemon for its "enter_repo()", but we do not want to link the daemon with the rest of git libraries and its requirements. Signed-off-by: Junio C Hamano --- path.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 60 insertions(+), 17 deletions(-) (limited to 'path.c') diff --git a/path.c b/path.c index 5b617092a..d635470de 100644 --- a/path.c +++ b/path.c @@ -91,20 +91,55 @@ char *safe_strncpy(char *dest, const char *src, size_t n) return dest; } +int validate_symref(const char *path) +{ + struct stat st; + char *buf, buffer[256]; + int len, fd; + + if (lstat(path, &st) < 0) + return -1; + + /* Make sure it is a "refs/.." symlink */ + if (S_ISLNK(st.st_mode)) { + len = readlink(path, buffer, sizeof(buffer)-1); + if (len >= 5 && !memcmp("refs/", buffer, 5)) + return 0; + return -1; + } + + /* + * Anything else, just open it and try to see if it is a symbolic ref. + */ + fd = open(path, O_RDONLY); + if (fd < 0) + return -1; + len = read(fd, buffer, sizeof(buffer)-1); + close(fd); + + /* + * Is it a symbolic ref? + */ + if (len < 4 || memcmp("ref:", buffer, 4)) + return -1; + buf = buffer + 4; + len -= 4; + while (len && isspace(*buf)) + buf++, len--; + if (len >= 5 && !memcmp("refs/", buf, 5)) + return 0; + return -1; +} + static char *current_dir() { return getcwd(pathname, sizeof(pathname)); } -/* Take a raw path from is_git_repo() and canonicalize it using Linus' - * idea of a blind chdir() and getcwd(). */ -static const char *canonical_path(char *path, int strict) +static int user_chdir(char *path) { char *dir = path; - if(strict && *dir != '/') - return NULL; - if(*dir == '~') { /* user-relative path */ struct passwd *pw; char *slash = strchr(dir, '/'); @@ -125,19 +160,19 @@ static const char *canonical_path(char *path, int strict) /* make sure we got something back that we can chdir() to */ if(!pw || chdir(pw->pw_dir) < 0) - return NULL; + return -1; if(!slash || !slash[1]) /* no path following username */ - return current_dir(); + return 0; dir = slash + 1; } /* ~foo/path/to/repo is now path/to/repo and we're in foo's homedir */ if(chdir(dir) < 0) - return NULL; + return -1; - return current_dir(); + return 0; } char *enter_repo(char *path, int strict) @@ -145,16 +180,24 @@ char *enter_repo(char *path, int strict) if(!path) return NULL; - if(!canonical_path(path, strict)) { - if(strict || !canonical_path(mkpath("%s.git", path), strict)) + if (strict) { + if((path[0] != '/') || chdir(path) < 0) return NULL; } + else { + if (!*path) + ; /* happy -- no chdir */ + else if (!user_chdir(path)) + ; /* happy -- as given */ + else if (!user_chdir(mkpath("%s.git", path))) + ; /* happy -- uemacs --> uemacs.git */ + else + return NULL; + (void)chdir(".git"); + } - /* This is perfectly safe, and people tend to think of the directory - * where they ran git-init-db as their repository, so humour them. */ - (void)chdir(".git"); - - if(access("objects", X_OK) == 0 && access("refs", X_OK) == 0) { + if(access("objects", X_OK) == 0 && access("refs", X_OK) == 0 && + validate_symref("HEAD") == 0) { putenv("GIT_DIR=."); return current_dir(); } -- cgit v1.2.1 From bd22c904a0f1c88a3a7bfa96bbf690de2f5cb278 Mon Sep 17 00:00:00 2001 From: Timo Hirvonen Date: Mon, 21 Nov 2005 02:52:52 +0200 Subject: Fix sparse warnings Make some functions static and convert func() function prototypes to to func(void). Fix declaration after statement, missing declaration and redundant declaration warnings. Signed-off-by: Timo Hirvonen Signed-off-by: Junio C Hamano --- path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'path.c') diff --git a/path.c b/path.c index d635470de..84b3272d9 100644 --- a/path.c +++ b/path.c @@ -131,7 +131,7 @@ int validate_symref(const char *path) return -1; } -static char *current_dir() +static char *current_dir(void) { return getcwd(pathname, sizeof(pathname)); } -- cgit v1.2.1 From e0a87193d3f2b78b7b687405c0315e1517d36912 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Sun, 20 Nov 2005 23:37:13 -0800 Subject: Fix "do not DWIM" patch to enter_repo" We wanted --strict to mean "do not DWIM", but the code required to see absolute path. daemon does its own path verification and chdirs to the verified repository, so enter_repo() called from upload-pack will always enter ".". Requiring absolute path does not make any sense. Signed-off-by: Junio C Hamano --- path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'path.c') diff --git a/path.c b/path.c index 84b3272d9..4d889473a 100644 --- a/path.c +++ b/path.c @@ -181,7 +181,7 @@ char *enter_repo(char *path, int strict) return NULL; if (strict) { - if((path[0] != '/') || chdir(path) < 0) + if (chdir(path) < 0) return NULL; } else { -- cgit v1.2.1