diff options
author | Junio C Hamano <gitster@pobox.com> | 2015-04-01 18:00:36 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2015-04-02 11:05:18 -0700 |
commit | afcb6ee30acf17f4e0338c49fbab301131abfbba (patch) | |
tree | 8459187f6b4bddbbf09d681b96085e76853f7787 | |
parent | 45917f0f994aee78dccf2a41000b48fc23db1a0b (diff) | |
download | git-afcb6ee30acf17f4e0338c49fbab301131abfbba.tar.gz |
push --signed: tighten what the receiving end can ask to signjc/push-cert
Instead of blindly trusting the receiving side to give us a sensible
nonce to sign, limit the length (max 256 bytes) and the alphabet
(alnum and a few selected punctuations, enough to encode in base64)
that can be used in nonce.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | send-pack.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/send-pack.c b/send-pack.c index 7ad1a5968b..2249808027 100644 --- a/send-pack.c +++ b/send-pack.c @@ -279,6 +279,28 @@ free_return: return update_seen; } +#define NONCE_LEN_LIMIT 256 + +static void reject_invalid_nonce(const char *nonce, int len) +{ + int i = 0; + + if (NONCE_LEN_LIMIT <= len) + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + + for (i = 0; i < len; i++) { + int ch = nonce[i] & 0xFF; + if (isalnum(ch) || + ch == '-' || ch == '.' || + ch == '/' || ch == '+' || + ch == '=' || ch == '_') + continue; + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + } +} + int send_pack(struct send_pack_args *args, int fd[], struct child_process *conn, struct ref *remote_refs, @@ -321,6 +343,7 @@ int send_pack(struct send_pack_args *args, push_cert_nonce = server_feature_value("push-cert", &len); if (!push_cert_nonce) die(_("the receiving end does not support --signed push")); + reject_invalid_nonce(push_cert_nonce, len); push_cert_nonce = xmemdupz(push_cert_nonce, len); } |