summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJunio C Hamano <gitster@pobox.com>2015-04-01 18:00:36 -0700
committerJunio C Hamano <gitster@pobox.com>2015-04-02 11:05:18 -0700
commitafcb6ee30acf17f4e0338c49fbab301131abfbba (patch)
tree8459187f6b4bddbbf09d681b96085e76853f7787
parent45917f0f994aee78dccf2a41000b48fc23db1a0b (diff)
downloadgit-afcb6ee30acf17f4e0338c49fbab301131abfbba.tar.gz
push --signed: tighten what the receiving end can ask to signjc/push-cert
Instead of blindly trusting the receiving side to give us a sensible nonce to sign, limit the length (max 256 bytes) and the alphabet (alnum and a few selected punctuations, enough to encode in base64) that can be used in nonce. Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--send-pack.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/send-pack.c b/send-pack.c
index 7ad1a5968b..2249808027 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -279,6 +279,28 @@ free_return:
return update_seen;
}
+#define NONCE_LEN_LIMIT 256
+
+static void reject_invalid_nonce(const char *nonce, int len)
+{
+ int i = 0;
+
+ if (NONCE_LEN_LIMIT <= len)
+ die("the receiving end asked to sign an invalid nonce <%.*s>",
+ len, nonce);
+
+ for (i = 0; i < len; i++) {
+ int ch = nonce[i] & 0xFF;
+ if (isalnum(ch) ||
+ ch == '-' || ch == '.' ||
+ ch == '/' || ch == '+' ||
+ ch == '=' || ch == '_')
+ continue;
+ die("the receiving end asked to sign an invalid nonce <%.*s>",
+ len, nonce);
+ }
+}
+
int send_pack(struct send_pack_args *args,
int fd[], struct child_process *conn,
struct ref *remote_refs,
@@ -321,6 +343,7 @@ int send_pack(struct send_pack_args *args,
push_cert_nonce = server_feature_value("push-cert", &len);
if (!push_cert_nonce)
die(_("the receiving end does not support --signed push"));
+ reject_invalid_nonce(push_cert_nonce, len);
push_cert_nonce = xmemdupz(push_cert_nonce, len);
}