daemon: further tweaks.

- Do validation only on canonicalized paths - Run upload-pack with "." as repository argument Signed-off-by: Junio C Hamano <junkio@cox.net>
19 years ago · ce335fe04f
2 changed files with 14 additions and 18 deletions
--- a/Documentation/git-daemon.txt
+++ b/Documentation/git-daemon.txt
@ -8,7 +8,7 @@ git-daemon - A really simple server for git repositories.
				@@ -8,7 +8,7 @@ git-daemon - A really simple server for git repositories.
 SYNOPSIS
 --------
 'git-daemon' [--verbose] [--syslog] [--inetd | --port=n] [--export-all]
-             [--timeout=n] [--init-timeout=n] [directory...]
+             [--timeout=n] [--init-timeout=n] [--strict-paths] [directory...]

 DESCRIPTION
 -----------
@ -29,7 +29,7 @@ This is ideally suited for read-only updates, ie pulling from git repositories.
				@@ -29,7 +29,7 @@ This is ideally suited for read-only updates, ie pulling from git repositories.

 OPTIONS
 -------
-+--strict-paths::
+--strict-paths::
 	Match paths exactly (i.e. don't allow "/foo/repo" when the real path is
 	"/foo/repo.git" or "/foo/repo/.git") and don't do user-relative paths.
 	git-daemon will refuse to start when this option is enabled and no
--- a/daemon.c
+++ b/daemon.c
@ -92,27 +92,23 @@ static char *path_ok(char *dir)
				@@ -92,27 +92,23 @@ static char *path_ok(char *dir)
 	}

 	if ( ok_paths && *ok_paths ) {
-		char **pp = NULL;
-		int dirlen = strlen(dir);
+		char **pp;
 		int pathlen = strlen(path);

+		/* The validation is done on the paths after enter_repo
+		 * canonicalization, so whitelist should be written in
+		 * terms of real pathnames (i.e. after ~user is expanded
+		 * and symlinks resolved).
+		 */
 		for ( pp = ok_paths ; *pp ; pp++ ) {
 			int len = strlen(*pp);
-			/* because of symlinks we must match both what the
-			 * user passed and the canonicalized path, otherwise
-			 * the user can send a string matching either a whitelist
-			 * entry or an actual directory exactly and still not
-			 * get through */
-			if (len <= pathlen && !memcmp(*pp, path, len)) {
-				if (path[len] == '\0' || (!strict_paths && path[len] == '/'))
-					return path;
-			}
-			if (len <= dirlen && !memcmp(*pp, dir, len)) {
-				if (dir[len] == '\0' || (!strict_paths && dir[len] == '/'))
+			if (len <= pathlen &&
+			    !memcmp(*pp, path, len) &&
+			    (path[len] == '\0' ||
+			     (!strict_paths && path[len] == '/')))
 				return path;
 		}
 	}
-	}
 	else {
 		/* be backwards compatible */
 		if (!strict_paths)
@ -160,7 +156,7 @@ static int upload(char *dir)
				@@ -160,7 +156,7 @@ static int upload(char *dir)
 	snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout);

 	/* git-upload-pack only ever reads stuff, so this is safe */
-	execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, path, NULL);
+	execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL);
 	return -1;
 }