| From 95110704086cf8c226bdd04aeab9bf13da8331e8 Mon Sep 17 00:00:00 2001 |
| From: Jeff King <peff@peff.net> |
| Date: Mon, 11 Sep 2017 11:27:51 -0400 |
| Subject: shell: drop git-cvsserver support by default |
| |
| The git-cvsserver script is old and largely unmaintained |
| these days. But git-shell allows untrusted users to run it |
| out of the box, significantly increasing its attack surface. |
| |
| Let's drop it from git-shell's list of internal handlers so |
| that it cannot be run by default. This is not backwards |
| compatible. But given the age and development activity on |
| CVS-related parts of Git, this is likely to impact very few |
| users, while helping many more (i.e., anybody who runs |
| git-shell and had no intention of supporting CVS). |
| |
| There's no configuration mechanism in git-shell for us to |
| add a boolean and flip it to "off". But there is a mechanism |
| for adding custom commands, and adding CVS support here is |
| fairly trivial. Let's document it to give guidance to |
| anybody who really is still running cvsserver. |
| |
| Signed-off-by: Jeff King <peff@peff.net> |
| Signed-off-by: Junio C Hamano <gitster@pobox.com> |
| --- |
| Documentation/git-shell.txt | 16 ++++++++++++++ |
| shell.c | 14 ------------ |
| t/t9400-git-cvsserver-server.sh | 48 +++++++++++++++++++++++++++++++++++++++++ |
| 3 files changed, 64 insertions(+), 14 deletions(-) |
| |
| diff --git a/Documentation/git-shell.txt b/Documentation/git-shell.txt |
| index 2e30a3e42d..54cf2560be 100644 |
| --- a/Documentation/git-shell.txt |
| +++ b/Documentation/git-shell.txt |
| @@ -79,6 +79,22 @@ EOF |
| $ chmod +x $HOME/git-shell-commands/no-interactive-login |
| ---------------- |
| |
| +To enable git-cvsserver access (which should generally have the |
| +`no-interactive-login` example above as a prerequisite, as creating |
| +the git-shell-commands directory allows interactive logins): |
| + |
| +---------------- |
| +$ cat >$HOME/git-shell-commands/cvs <<\EOF |
| +if ! test $# = 1 && test "$1" = "server" |
| +then |
| + echo >&2 "git-cvsserver only handles \"server\"" |
| + exit 1 |
| +fi |
| +exec git cvsserver server |
| +EOF |
| +$ chmod +x $HOME/git-shell-commands/cvs |
| +---------------- |
| + |
| SEE ALSO |
| -------- |
| ssh(1), |
| diff --git a/shell.c b/shell.c |
| index fe2d314593..234b2d4f16 100644 |
| --- a/shell.c |
| +++ b/shell.c |
| @@ -25,19 +25,6 @@ static int do_generic_cmd(const char *me, char *arg) |
| return execv_git_cmd(my_argv); |
| } |
| |
| -static int do_cvs_cmd(const char *me, char *arg) |
| -{ |
| - const char *cvsserver_argv[3] = { |
| - "cvsserver", "server", NULL |
| - }; |
| - |
| - if (!arg || strcmp(arg, "server")) |
| - die("git-cvsserver only handles server: %s", arg); |
| - |
| - setup_path(); |
| - return execv_git_cmd(cvsserver_argv); |
| -} |
| - |
| static int is_valid_cmd_name(const char *cmd) |
| { |
| /* Test command contains no . or / characters */ |
| @@ -134,7 +121,6 @@ static struct commands { |
| { "git-receive-pack", do_generic_cmd }, |
| { "git-upload-pack", do_generic_cmd }, |
| { "git-upload-archive", do_generic_cmd }, |
| - { "cvs", do_cvs_cmd }, |
| { NULL }, |
| }; |
| |
| diff --git a/t/t9400-git-cvsserver-server.sh b/t/t9400-git-cvsserver-server.sh |
| index 432c61d246..c30660d606 100755 |
| --- a/t/t9400-git-cvsserver-server.sh |
| +++ b/t/t9400-git-cvsserver-server.sh |
| @@ -588,4 +588,52 @@ test_expect_success 'cvs annotate' ' |
| test_cmp ../expect ../actual |
| ' |
| |
| +#------------ |
| +# running via git-shell |
| +#------------ |
| + |
| +cd "$WORKDIR" |
| + |
| +test_expect_success 'create remote-cvs helper' ' |
| + write_script remote-cvs <<-\EOF |
| + exec git shell -c "cvs server" |
| + EOF |
| +' |
| + |
| +test_expect_success 'cvs server does not run with vanilla git-shell' ' |
| + ( |
| + cd cvswork && |
| + CVS_SERVER=$WORKDIR/remote-cvs && |
| + export CVS_SERVER && |
| + test_must_fail cvs log merge |
| + ) |
| +' |
| + |
| +test_expect_success 'configure git shell to run cvs server' ' |
| + mkdir "$HOME"/git-shell-commands && |
| + |
| + write_script "$HOME"/git-shell-commands/cvs <<-\EOF && |
| + if ! test $# = 1 && test "$1" = "server" |
| + then |
| + echo >&2 "git-cvsserver only handles \"server\"" |
| + exit 1 |
| + fi |
| + exec git cvsserver server |
| + EOF |
| + |
| + # Should not be used, but part of the recommended setup |
| + write_script "$HOME"/git-shell-commands/no-interactive-login <<-\EOF |
| + echo Interactive login forbidden |
| + EOF |
| +' |
| + |
| +test_expect_success 'cvs server can run with recommended config' ' |
| + ( |
| + cd cvswork && |
| + CVS_SERVER=$WORKDIR/remote-cvs && |
| + export CVS_SERVER && |
| + cvs log merge |
| + ) |
| +' |
| + |
| test_done |
| -- |
| 2.14.1.821.g8fa685d3b7 |
| |