summaryrefslogtreecommitdiff
path: root/path.c
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2015-09-24 17:07:45 -0400
committerJunio C Hamano <gitster@pobox.com>2015-10-05 11:08:04 -0700
commite9ba678175da28607d57043e1363c6252880dd7f (patch)
tree8065c32ce9b8ae20d361f1e20f59067dad64e60a /path.c
parentb4600fbe071898068ef30be2766ee75880ec308b (diff)
downloadgit-e9ba678175da28607d57043e1363c6252880dd7f.tar.gz
enter_repo: convert fixed-size buffers to strbufs
We use two PATH_MAX-sized buffers to represent the repo path, and must make sure not to overflow them. We do take care to check the lengths, but the logic is rather hard to follow, as we use several magic numbers (e.g., "PATH_MAX - 10"). And in fact you _can_ overflow the buffer if you have a ".git" file with an extremely long path in it. By switching to strbufs, these problems all go away. We do, however, retain the check that the initial input we get is no larger than PATH_MAX. This function is an entry point for untrusted repo names from the network, and it's a good idea to keep a sanity check (both to avoid allocating arbitrary amounts of memory, and also as a layer of defense against any downstream users of the names). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'path.c')
-rw-r--r--path.c57
1 files changed, 29 insertions, 28 deletions
diff --git a/path.c b/path.c
index 46a4d2714b..60e0390906 100644
--- a/path.c
+++ b/path.c
@@ -391,8 +391,8 @@ return_null:
*/
const char *enter_repo(const char *path, int strict)
{
- static char used_path[PATH_MAX];
- static char validated_path[PATH_MAX];
+ static struct strbuf validated_path = STRBUF_INIT;
+ static struct strbuf used_path = STRBUF_INIT;
if (!path)
return NULL;
@@ -407,46 +407,47 @@ const char *enter_repo(const char *path, int strict)
while ((1 < len) && (path[len-1] == '/'))
len--;
+ /*
+ * We can handle arbitrary-sized buffers, but this remains as a
+ * sanity check on untrusted input.
+ */
if (PATH_MAX <= len)
return NULL;
- strncpy(used_path, path, len); used_path[len] = 0 ;
- strcpy(validated_path, used_path);
- if (used_path[0] == '~') {
- char *newpath = expand_user_path(used_path);
- if (!newpath || (PATH_MAX - 10 < strlen(newpath))) {
- free(newpath);
+ strbuf_reset(&used_path);
+ strbuf_reset(&validated_path);
+ strbuf_add(&used_path, path, len);
+ strbuf_add(&validated_path, path, len);
+
+ if (used_path.buf[0] == '~') {
+ char *newpath = expand_user_path(used_path.buf);
+ if (!newpath)
return NULL;
- }
- /*
- * Copy back into the static buffer. A pity
- * since newpath was not bounded, but other
- * branches of the if are limited by PATH_MAX
- * anyway.
- */
- strcpy(used_path, newpath); free(newpath);
+ strbuf_attach(&used_path, newpath, strlen(newpath),
+ strlen(newpath));
}
- else if (PATH_MAX - 10 < len)
- return NULL;
- len = strlen(used_path);
for (i = 0; suffix[i]; i++) {
struct stat st;
- strcpy(used_path + len, suffix[i]);
- if (!stat(used_path, &st) &&
+ size_t baselen = used_path.len;
+ strbuf_addstr(&used_path, suffix[i]);
+ if (!stat(used_path.buf, &st) &&
(S_ISREG(st.st_mode) ||
- (S_ISDIR(st.st_mode) && is_git_directory(used_path)))) {
- strcat(validated_path, suffix[i]);
+ (S_ISDIR(st.st_mode) && is_git_directory(used_path.buf)))) {
+ strbuf_addstr(&validated_path, suffix[i]);
break;
}
+ strbuf_setlen(&used_path, baselen);
}
if (!suffix[i])
return NULL;
- gitfile = read_gitfile(used_path) ;
- if (gitfile)
- strcpy(used_path, gitfile);
- if (chdir(used_path))
+ gitfile = read_gitfile(used_path.buf) ;
+ if (gitfile) {
+ strbuf_reset(&used_path);
+ strbuf_addstr(&used_path, gitfile);
+ }
+ if (chdir(used_path.buf))
return NULL;
- path = validated_path;
+ path = validated_path.buf;
}
else if (chdir(path))
return NULL;