X-Git-Url: https://git.octo.it/?p=git.git;a=blobdiff_plain;f=daemon.c;h=2f03f99d2d9f2ed9a23932e5104456f69b721116;hp=f285a8c98ca9fbfc421b735f76f9d9f2248bd749;hb=162f41292167a800432fc6bbacfcd9f93a90b0c8;hpb=64a2228b02594d5ccb7aaca293816f571fd1ea84

diff --git a/daemon.c b/daemon.c
index f285a8c9..2f03f99d 100644
--- a/daemon.c
+++ b/daemon.c
@@ -1,5 +1,3 @@
-#include "cache.h"
-#include "pkt-line.h"
 #include <signal.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
@@ -9,18 +7,39 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <syslog.h>
+#include "pkt-line.h"
+#include "cache.h"
+#include "exec_cmd.h"
 
 static int log_syslog;
 static int verbose;
+static int reuseaddr;
 
-static const char daemon_usage[] = "git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all] [directory...]";
+static const char daemon_usage[] =
+"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n"
+"           [--timeout=n] [--init-timeout=n] [--strict-paths]\n"
+"           [--base-path=path] [--user-path | --user-path=path]\n"
+"           [--reuseaddr] [directory...]";
 
 /* List of acceptable pathname prefixes */
 static char **ok_paths = NULL;
+static int strict_paths = 0;
 
 /* If this is set, git-daemon-export-ok is not required */
 static int export_all_trees = 0;
 
+/* Take all paths relative to this one if non-NULL */
+static char *base_path = NULL;
+
+/* If defined, ~user notation is allowed and the string is inserted
+ * after ~user/.  E.g. a request to git://host/~alice/frotz would
+ * go to /home/alice/pub_git/frotz with --user-path=pub_git.
+ */
+static char *user_path = NULL;
+
+/* Timeout, and initial timeout */
+static unsigned int timeout = 0;
+static unsigned int init_timeout = 0;
 
 static void logreport(int priority, const char *err, va_list params)
 {
@@ -76,75 +95,159 @@ static void loginfo(const char *err, ...)
 	va_end(params);
 }
 
-static int path_ok(const char *dir)
+static int avoid_alias(char *p)
 {
-	const char *p = dir;
-	char **pp;
-	int sl = 1, ndot = 0;
+	int sl, ndot;
 
-	for (;;) {
-		if ( *p == '.' ) {
-			ndot++;
-		} else if ( *p == '/' || *p == '\0' ) {
-			if ( sl && ndot > 0 && ndot < 3 )
-				return 0; /* . or .. in path */
+	/* 
+	 * This resurrects the belts and suspenders paranoia check by HPA
+	 * done in <435560F7.4080006@zytor.com> thread, now enter_repo()
+	 * does not do getcwd() based path canonicalizations.
+	 *
+	 * sl becomes true immediately after seeing '/' and continues to
+	 * be true as long as dots continue after that without intervening
+	 * non-dot character.
+	 */
+	if (!p || (*p != '/' && *p != '~'))
+		return -1;
+	sl = 1; ndot = 0;
+	p++;
+
+	while (1) {
+		char ch = *p++;
+		if (sl) {
+			if (ch == '.')
+				ndot++;
+			else if (ch == '/') {
+				if (ndot < 3)
+					/* reject //, /./ and /../ */
+					return -1;
+				ndot = 0;
+			}
+			else if (ch == 0) {
+				if (0 < ndot && ndot < 3)
+					/* reject /.$ and /..$ */
+					return -1;
+				return 0;
+			}
+			else
+				sl = ndot = 0;
+		}
+		else if (ch == 0)
+			return 0;
+		else if (ch == '/') {
 			sl = 1;
-			if ( *p == '\0' )
-				break; /* End of string and all is good */
-		} else {
-			sl = ndot = 0;
+			ndot = 0;
 		}
-		p++;
 	}
+}
 
-	if ( ok_paths && *ok_paths ) {
-		int ok = 0;
-		int dirlen = strlen(dir); /* read_packet_line can return embedded \0 */
+static char *path_ok(char *dir)
+{
+	static char rpath[PATH_MAX];
+	char *path;
+
+	if (avoid_alias(dir)) {
+		logerror("'%s': aliased", dir);
+		return NULL;
+	}
+
+	if (*dir == '~') {
+		if (!user_path) {
+			logerror("'%s': User-path not allowed", dir);
+			return NULL;
+		}
+		if (*user_path) {
+			/* Got either "~alice" or "~alice/foo";
+			 * rewrite them to "~alice/%s" or
+			 * "~alice/%s/foo".
+			 */
+			int namlen, restlen = strlen(dir);
+			char *slash = strchr(dir, '/');
+			if (!slash)
+				slash = dir + restlen;
+			namlen = slash - dir;
+			restlen -= namlen;
+			loginfo("userpath <%s>, request <%s>, namlen %d, restlen %d, slash <%s>", user_path, dir, namlen, restlen, slash);
+			snprintf(rpath, PATH_MAX, "%.*s/%s%.*s",
+				 namlen, dir, user_path, restlen, slash);
+			dir = rpath;
+		}
+	}
+	else if (base_path) {
+		if (*dir != '/') {
+			/* Allow only absolute */
+			logerror("'%s': Non-absolute path denied (base-path active)", dir);
+			return NULL;
+		}
+		else {
+			snprintf(rpath, PATH_MAX, "%s%s", base_path, dir);
+			dir = rpath;
+		}
+	}
+
+	path = enter_repo(dir, strict_paths);
 
+	if (!path) {
+		logerror("'%s': unable to chdir or not a git archive", dir);
+		return NULL;
+	}
+
+	if ( ok_paths && *ok_paths ) {
+		char **pp;
+		int pathlen = strlen(path);
+
+		/* The validation is done on the paths after enter_repo
+		 * appends optional {.git,.git/.git} and friends, but 
+		 * it does not use getcwd().  So if your /pub is
+		 * a symlink to /mnt/pub, you can whitelist /pub and
+		 * do not have to say /mnt/pub.
+		 * Do not say /pub/.
+		 */
 		for ( pp = ok_paths ; *pp ; pp++ ) {
 			int len = strlen(*pp);
-			if ( len <= dirlen &&
-			     !strncmp(*pp, dir, len) &&
-			     (dir[len] == '/' || dir[len] == '\0') ) {
-				ok = 1;
-				break;
-			}
+			if (len <= pathlen &&
+			    !memcmp(*pp, path, len) &&
+			    (path[len] == '\0' ||
+			     (!strict_paths && path[len] == '/')))
+				return path;
 		}
-
-		if ( !ok )
-			return 0; /* Path not in whitelist */
+	}
+	else {
+		/* be backwards compatible */
+		if (!strict_paths)
+			return path;
 	}
 
-	return 1;		/* Path acceptable */
+	logerror("'%s': not in whitelist", path);
+	return NULL;		/* Fallthrough. Deny by default */
 }
 
-static int upload(char *dir, int dirlen)
+static int upload(char *dir)
 {
-	loginfo("Request for '%s'", dir);
+	/* Timeout as string */
+	char timeout_buf[64];
+	const char *path;
 
-	if (!path_ok(dir)) {
-		logerror("Forbidden directory: %s\n", dir);
-		return -1;
-	}
+	loginfo("Request for '%s'", dir);
 
-	if (chdir(dir) < 0) {
-		logerror("Cannot chdir('%s'): %s", dir, strerror(errno));
+	if (!(path = path_ok(dir)))
 		return -1;
-	}
-
-	chdir(".git");
 
 	/*
 	 * Security on the cheap.
 	 *
-	 * We want a readable HEAD, usable "objects" directory, and 
+	 * We want a readable HEAD, usable "objects" directory, and
 	 * a "git-daemon-export-ok" flag that says that the other side
 	 * is ok with us doing this.
+	 *
+	 * path_ok() uses enter_repo() and does whitelist checking.
+	 * We only need to make sure the repository is exported.
 	 */
-	if ((!export_all_trees && access("git-daemon-export-ok", F_OK)) ||
-	    access("objects/00", X_OK) ||
-	    access("HEAD", R_OK)) {
-		logerror("Not a valid git-daemon-enabled repository: '%s'", dir);
+
+	if (!export_all_trees && access("git-daemon-export-ok", F_OK)) {
+		logerror("'%s': repository not exported.", path);
+		errno = EACCES;
 		return -1;
 	}
 
@@ -154,23 +257,32 @@ static int upload(char *dir, int dirlen)
 	 */
 	signal(SIGTERM, SIG_IGN);
 
+	snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout);
+
 	/* git-upload-pack only ever reads stuff, so this is safe */
-	execlp("git-upload-pack", "git-upload-pack", ".", NULL);
+	execl_git_cmd("upload-pack", "--strict", timeout_buf, ".", NULL);
 	return -1;
 }
 
 static int execute(void)
 {
 	static char line[1000];
-	int len;
+	int pktlen, len;
 
-	len = packet_read_line(0, line, sizeof(line));
+	alarm(init_timeout ? init_timeout : timeout);
+	pktlen = packet_read_line(0, line, sizeof(line));
+	alarm(0);
 
+	len = strlen(line);
+	if (pktlen != len)
+		loginfo("Extended attributes (%d bytes) exist <%.*s>",
+			(int) pktlen - len,
+			(int) pktlen - len, line + len + 1);
 	if (len && line[len-1] == '\n')
 		line[--len] = 0;
 
-	if (!strncmp("git-upload-pack /", line, 17))
-		return upload(line + 16, len - 16);
+	if (!strncmp("git-upload-pack ", line, 16))
+		return upload(line+16);
 
 	logerror("Protocol error: '%s'", line);
 	return -1;
@@ -372,6 +484,16 @@ static void child_handler(int signo)
 	}
 }
 
+static int set_reuse_addr(int sockfd)
+{
+	int on = 1;
+
+	if (!reuseaddr)
+		return 0;
+	return setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR,
+			  &on, sizeof(on));
+}
+
 #ifndef NO_IPV6
 
 static int socksetup(int port, int **socklist_p)
@@ -416,6 +538,11 @@ static int socksetup(int port, int **socklist_p)
 		}
 #endif
 
+		if (set_reuse_addr(sockfd)) {
+			close(sockfd);
+			continue;
+		}
+
 		if (bind(sockfd, ai->ai_addr, ai->ai_addrlen) < 0) {
 			close(sockfd);
 			continue;	/* not fatal */
@@ -458,13 +585,24 @@ static int socksetup(int port, int **socklist_p)
 	sin.sin_addr.s_addr = htonl(INADDR_ANY);
 	sin.sin_port = htons(port);
 
+	if (set_reuse_addr(sockfd)) {
+		close(sockfd);
+		return 0;
+	}
+
 	if ( bind(sockfd, (struct sockaddr *)&sin, sizeof sin) < 0 ) {
 		close(sockfd);
 		return 0;
 	}
 
+	if (listen(sockfd, 5) < 0) {
+		close(sockfd);
+		return 0;
+	}
+
 	*socklist_p = xmalloc(sizeof(int));
 	**socklist_p = sockfd;
+	return 1;
 }
 
 #endif
@@ -482,11 +620,11 @@ static int service_loop(int socknum, int *socklist)
 	}
 
 	signal(SIGCHLD, child_handler);
-	
+
 	for (;;) {
 		int i;
 
-		if (poll(pfd, socknum, 0) < 0) {
+		if (poll(pfd, socknum, -1) < 0) {
 			if (errno != EINTR) {
 				error("poll failed, resuming: %s",
 				      strerror(errno));
@@ -519,13 +657,13 @@ static int service_loop(int socknum, int *socklist)
 static int serve(int port)
 {
 	int socknum, *socklist;
-	
+
 	socknum = socksetup(port, &socklist);
 	if (socknum == 0)
 		die("unable to allocate any listen sockets on port %u", port);
-	
+
 	return service_loop(socknum, socklist);
-}	
+}
 
 int main(int argc, char **argv)
 {
@@ -547,6 +685,7 @@ int main(int argc, char **argv)
 		}
 		if (!strcmp(arg, "--inetd")) {
 			inetd_mode = 1;
+			log_syslog = 1;
 			continue;
 		}
 		if (!strcmp(arg, "--verbose")) {
@@ -555,13 +694,40 @@ int main(int argc, char **argv)
 		}
 		if (!strcmp(arg, "--syslog")) {
 			log_syslog = 1;
-			openlog("git-daemon", 0, LOG_DAEMON);
 			continue;
 		}
 		if (!strcmp(arg, "--export-all")) {
 			export_all_trees = 1;
 			continue;
 		}
+		if (!strncmp(arg, "--timeout=", 10)) {
+			timeout = atoi(arg+10);
+			continue;
+		}
+		if (!strncmp(arg, "--init-timeout=", 15)) {
+			init_timeout = atoi(arg+15);
+			continue;
+		}
+		if (!strcmp(arg, "--strict-paths")) {
+			strict_paths = 1;
+			continue;
+		}
+		if (!strncmp(arg, "--base-path=", 12)) {
+			base_path = arg+12;
+			continue;
+		}
+		if (!strcmp(arg, "--reuseaddr")) {
+			reuseaddr = 1;
+			continue;
+		}
+		if (!strcmp(arg, "--user-path")) {
+			user_path = "";
+			continue;
+		}
+		if (!strncmp(arg, "--user-path=", 12)) {
+			user_path = arg + 12;
+			continue;
+		}
 		if (!strcmp(arg, "--")) {
 			ok_paths = &argv[i+1];
 			break;
@@ -573,10 +739,21 @@ int main(int argc, char **argv)
 		usage(daemon_usage);
 	}
 
+	if (log_syslog)
+		openlog("git-daemon", 0, LOG_DAEMON);
+
+	if (strict_paths && (!ok_paths || !*ok_paths)) {
+		if (!inetd_mode)
+			die("git-daemon: option --strict-paths requires a whitelist");
+
+		logerror("option --strict-paths requires a whitelist");
+		exit (1);
+	}
+
 	if (inetd_mode) {
 		fclose(stderr); //FIXME: workaround
 		return execute();
-	} else {
-		return serve(port);
 	}
+
+	return serve(port);
 }