| Message ID | 314451a4-ee8f-fb68-016f-66a4f3bea409@web.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | daemon: sanitize all directory separators | expand |
On Thu, Mar 25, 2021 at 05:21:24PM +0100, René Scharfe. wrote: > When sanitizing client-supplied strings on Windows, also strip off > backslashes, not just slashes. > [...] > static void sanitize_client(struct strbuf *out, const char *in) > { > for (; *in; in++) { > - if (*in == '/') > + if (is_dir_sep(*in)) Yeah, this seems like the obviously correct thing to be doing. -Peff
Hi Junio & René, On Thu, 25 Mar 2021, Junio C Hamano wrote: > René Scharfe. <l.s.r@web.de> writes: > > > When sanitizing client-supplied strings on Windows, also strip off > > backslashes, not just slashes. > > > > Signed-off-by: René Scharfe <l.s.r@web.de> > > --- > > daemon.c | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > I do not know how common is it to run "git daemon" on Windows, but > it would be nice to have at least an ack from Windows person. Here is my ACK. I do not have any precise numbers, of course, as we do not have any telemetry in Git for Windows (for better or worse). There _are_ occasional reports about something in `git daemon` not working; Most notably, you have to turn off the sideband to make `push` work. > > diff --git a/daemon.c b/daemon.c > > index 2ab7ea82eb..0561c19ee8 100644 > > --- a/daemon.c > > +++ b/daemon.c > > @@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host, > > > > /* > > * Sanitize a string from the client so that it's OK to be inserted into a > > - * filesystem path. Specifically, we disallow slashes, runs of "..", and > > - * trailing and leading dots, which means that the client cannot escape > > - * our base path via ".." traversal. > > + * filesystem path. Specifically, we disallow directory separators, runs > > + * of "..", and trailing and leading dots, which means that the client > > + * cannot escape our base path via ".." traversal. > > Not a new problem, but "runs of '..'" confused me. If I am reading > the code right, we disallow directory separators (by ignoring) and > two or more '.' in a row (by squashing them into a single '.'). Indeed, the code is a bit funny in that respect. But at least it keeps us somewhat safe: there is currently no way to break out of the directory to the parent directory, whether with this path or not. (Phew!) Thanks, Dscho > > > */ > > static void sanitize_client(struct strbuf *out, const char *in) > > { > > for (; *in; in++) { > > - if (*in == '/') > > + if (is_dir_sep(*in)) > > continue; > > if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.')) > > continue; > > -- > > 2.30.2 > > Thanks. >
diff --git a/daemon.c b/daemon.c index 2ab7ea82eb..0561c19ee8 100644 --- a/daemon.c +++ b/daemon.c @@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host, /* * Sanitize a string from the client so that it's OK to be inserted into a - * filesystem path. Specifically, we disallow slashes, runs of "..", and - * trailing and leading dots, which means that the client cannot escape - * our base path via ".." traversal. + * filesystem path. Specifically, we disallow directory separators, runs + * of "..", and trailing and leading dots, which means that the client + * cannot escape our base path via ".." traversal. */ static void sanitize_client(struct strbuf *out, const char *in) { for (; *in; in++) { - if (*in == '/') + if (is_dir_sep(*in)) continue; if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.')) continue;
When sanitizing client-supplied strings on Windows, also strip off backslashes, not just slashes. Signed-off-by: René Scharfe <l.s.r@web.de> --- daemon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.30.2