summaryrefslogtreecommitdiffstats
path: root/0001-clone-fix-directory-traversal.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-12-14 11:47:25 +0100
committerRemi Collet <remi@remirepo.net>2020-12-14 11:47:25 +0100
commit1662ed79d9304100f76a8c863424c1d0abbca6d1 (patch)
treec8033c824ae6d34b653a92c84fe5485e26449bd0 /0001-clone-fix-directory-traversal.patch
parentd0dff73e8fdfad7591475740b23b97a8df223cc8 (diff)
1.2.3 for EL-8HEADmaster
Diffstat (limited to '0001-clone-fix-directory-traversal.patch')
-rw-r--r--0001-clone-fix-directory-traversal.patch62
1 files changed, 0 insertions, 62 deletions
diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch
deleted file mode 100644
index 9f647f2..0000000
--- a/0001-clone-fix-directory-traversal.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Fri, 3 Aug 2018 15:46:11 +0200
-Subject: [PATCH] clone: fix directory traversal
-
-This was introduced in the initial version of this code, way back when
-in 2008.
-
-$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
-root:x:0:0:root:/root:/bin/sh
-...
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Reported-by: Jann Horn <jannh@google.com>
----
- ui-clone.c | 23 +++++++++++++++++++----
- 1 file changed, 19 insertions(+), 4 deletions(-)
-
-diff --git a/ui-clone.c b/ui-clone.c
-index 2c1ac3d..6ba8f36 100644
---- a/ui-clone.c
-+++ b/ui-clone.c
-@@ -92,17 +92,32 @@ void cgit_clone_info(void)
-
- void cgit_clone_objects(void)
- {
-- if (!ctx.qry.path) {
-- cgit_print_error_page(400, "Bad request", "Bad request");
-- return;
-- }
-+ char *p;
-+
-+ if (!ctx.qry.path)
-+ goto err;
-
- if (!strcmp(ctx.qry.path, "info/packs")) {
- print_pack_info();
- return;
- }
-
-+ /* Avoid directory traversal by forbidding "..", but also work around
-+ * other funny business by just specifying a fairly strict format. For
-+ * example, now we don't have to stress out about the Cygwin port.
-+ */
-+ for (p = ctx.qry.path; *p; ++p) {
-+ if (*p == '.' && *(p + 1) == '.')
-+ goto err;
-+ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
-+ goto err;
-+ }
-+
- send_file(git_path("objects/%s", ctx.qry.path));
-+ return;
-+
-+err:
-+ cgit_print_error_page(400, "Bad request", "Bad request");
- }
-
- void cgit_clone_head(void)
---
-2.18.0
-
generated by cgit (git 2.34.1) at 2024-04-29 13:21:05 +0000