debian/patches/connect-reject-dashed-arguments-for-proxy-commands.diff - jrn/git - Git at Google

 From 5c90bbefe25f5bf78e64756d5e8b09a30adef13a Mon Sep 17 00:00:00 2001
 From: Jeff King <peff@peff.net>
 Date: Fri, 28 Jul 2017 15:26:50 -0400
 Subject: connect: reject dashed arguments for proxy commands

 If you have a GIT_PROXY_COMMAND configured, we will run it
 with the host/port on the command-line. If a URL contains a
 mischievous host like "--foo", we don't know how the proxy
 command may handle it. It's likely to break, but it may also
 do something dangerous and unwanted (technically it could
 even do something useful, but that seems unlikely).

 We should err on the side of caution and reject this before
 we even run the command.

 The hostname check matches the one we do in a similar
 circumstance for ssh. The port check is not present for ssh,
 but there it's not necessary because the syntax is "-p
 <port>", and there's no ambiguity on the parsing side.

 It's not clear whether you can actually get a negative port
 to the proxy here or not. Doing:

   git fetch git://remote:-1234/repo.git

 keeps the "-1234" as part of the hostname, with the default
 port of 9418. But it's a good idea to keep this check close
 to the point of running the command to make it clear that
 there's no way to circumvent it (and at worst it serves as a
 belt-and-suspenders check).

 Signed-off-by: Jeff King <peff@peff.net>
 Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
 Signed-off-by: Junio C Hamano <gitster@pobox.com>
 ---
  connect.c              | 5 +++++
  t/t5532-fetch-proxy.sh | 5 +++++
  2 files changed, 10 insertions(+)

 diff --git a/connect.c b/connect.c
 index 378dfaae1c..ac03edfd8e 100644
 --- a/connect.c
 +++ b/connect.c
 @@ -577,6 +577,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)

  	get_host_and_port(&host, &port);

 +	if (looks_like_command_line_option(host))
 +		die("strange hostname '%s' blocked", host);
 +	if (looks_like_command_line_option(port))
 +		die("strange port '%s' blocked", port);
 +
  	proxy = xmalloc(sizeof(*proxy));
  	child_process_init(proxy);
  	argv_array_push(&proxy->args, git_proxy_command);
 diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh
 index 51c9669398..9c2798603b 100755
 --- a/t/t5532-fetch-proxy.sh
 +++ b/t/t5532-fetch-proxy.sh
 @@ -43,4 +43,9 @@ test_expect_success 'fetch through proxy works' '
  	test_cmp expect actual
  '

 +test_expect_success 'funny hostnames are rejected before running proxy' '
 +	test_must_fail git fetch git://-remote/repo.git 2>stderr &&
 +	! grep "proxying for" stderr
 +'
 +
  test_done
 --
 2.14.0.434.g98096fd7a8
	From 5c90bbefe25f5bf78e64756d5e8b09a30adef13a Mon Sep 17 00:00:00 2001
	From: Jeff King <peff@peff.net>
	Date: Fri, 28 Jul 2017 15:26:50 -0400
	Subject: connect: reject dashed arguments for proxy commands

	If you have a GIT_PROXY_COMMAND configured, we will run it
	with the host/port on the command-line. If a URL contains a
	mischievous host like "--foo", we don't know how the proxy
	command may handle it. It's likely to break, but it may also
	do something dangerous and unwanted (technically it could
	even do something useful, but that seems unlikely).

	We should err on the side of caution and reject this before
	we even run the command.

	The hostname check matches the one we do in a similar
	circumstance for ssh. The port check is not present for ssh,
	but there it's not necessary because the syntax is "-p
	<port>", and there's no ambiguity on the parsing side.

	It's not clear whether you can actually get a negative port
	to the proxy here or not. Doing:

	git fetch git://remote:-1234/repo.git

	keeps the "-1234" as part of the hostname, with the default
	port of 9418. But it's a good idea to keep this check close
	to the point of running the command to make it clear that
	there's no way to circumvent it (and at worst it serves as a
	belt-and-suspenders check).

	Signed-off-by: Jeff King <peff@peff.net>
	Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	---
	connect.c \| 5 +++++
	t/t5532-fetch-proxy.sh \| 5 +++++
	2 files changed, 10 insertions(+)

	diff --git a/connect.c b/connect.c
	index 378dfaae1c..ac03edfd8e 100644
	--- a/connect.c
	+++ b/connect.c
	@@ -577,6 +577,11 @@ static struct child_process git_proxy_connect(int fd[2], char host)

	get_host_and_port(&host, &port);

	+ if (looks_like_command_line_option(host))
	+ die("strange hostname '%s' blocked", host);
	+ if (looks_like_command_line_option(port))
	+ die("strange port '%s' blocked", port);
	+
	proxy = xmalloc(sizeof(*proxy));
	child_process_init(proxy);
	argv_array_push(&proxy->args, git_proxy_command);
	diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh
	index 51c9669398..9c2798603b 100755
	--- a/t/t5532-fetch-proxy.sh
	+++ b/t/t5532-fetch-proxy.sh
	@@ -43,4 +43,9 @@ test_expect_success 'fetch through proxy works' '
	test_cmp expect actual
	'

	+test_expect_success 'funny hostnames are rejected before running proxy' '
	+ test_must_fail git fetch git://-remote/repo.git 2>stderr &&
	+ ! grep "proxying for" stderr
	+'
	+
	test_done
	--
	2.14.0.434.g98096fd7a8