From b48537305229d1a4f25633f71941ee52d2582017 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 17 Feb 2015 14:09:24 -0500 Subject: daemon: sanitize incoming virtual hostname We use the daemon_avoid_alias function to make sure that the pathname the user gives us is sane. However, after applying that check, we might then interpolate the path using a string given by the server admin, but which may contain more untrusted data from the client. We should be sure to sanitize this data, as well. We cannot use daemon_avoid_alias here, as it is more strict than we need in requiring a leading '/'. At the same time, we can be much more strict here. We are interpreting a hostname, which should not contain slashes or excessive runs of dots, as those things are not allowed in DNS names. Note that in addition to cleansing the hostname field, we must check the "canonical hostname" (%CH) as well as the port (%P), which we take as a raw string. For the canonical hostname, this comes from an actual DNS lookup on the accessed IP, which makes it a much less likely vector for problems. But it does not hurt to sanitize it in the same way. Unfortunately we cannot test this case easily, as it would involve a custom hostname lookup. We do not need to check %IP, as it comes straight from inet_ntop, so must have a sane form. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- t/t5570-git-daemon.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 't/t5570-git-daemon.sh') diff --git a/t/t5570-git-daemon.sh b/t/t5570-git-daemon.sh index 3eb7d3186e..b7e283252d 100755 --- a/t/t5570-git-daemon.sh +++ b/t/t5570-git-daemon.sh @@ -157,5 +157,16 @@ test_expect_success 'access repo via interpolated hostname' ' git clone --bare "$GIT_DAEMON_URL/interp.git" tmp.git ' +test_expect_success 'hostname cannot break out of directory' ' + rm -rf tmp.git && + repo="$GIT_DAEMON_DOCUMENT_ROOT_PATH/../escape.git" && + git init --bare "$repo" && + git push "$repo" HEAD && + >"$repo"/git-daemon-export-ok && + test_must_fail \ + env GIT_OVERRIDE_VIRTUAL_HOST=.. \ + git clone --bare "$GIT_DAEMON_URL/escape.git" tmp.git +' + stop_git_daemon test_done -- cgit v1.2.1