]> granicus.if.org Git - git/commitdiff
projects / git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 6b1258b afcb6ee)
Merge branch 'jc/push-cert'
authorJunio C Hamano <gitster@pobox.com>
Mon, 20 Apr 2015 22:28:31 +0000 (15:28 -0700)
committerJunio C Hamano <gitster@pobox.com>
Mon, 20 Apr 2015 22:28:31 +0000 (15:28 -0700)
The "git push --signed" protocol extension did not limit what the
"nonce" that is a server-chosen string can contain or how long it
can be, which was unnecessarily lax.  Limit both the length and the
alphabet to a reasonably small space that can still have enough
entropy.

* jc/push-cert:
  push --signed: tighten what the receiving end can ask to sign

1  2 
send-pack.c patch | diff1 | diff2 | blob | history

diff --cc send-pack.c
index 189bdde0c29b1aa62c9628786fa7b8c1b4083fb3,22498080271a5702a7e79a72af1f1f8491d15121..2e07ac3339bce870b12e0023dc985929a277ebef
--- 1/send-pack.c
--- 2/send-pack.c
+++ b/send-pack.c
@@@ -285,29 -279,28 +285,51 @@@ free_return
        return update_seen;
  }
  
 +
 +static int atomic_push_failure(struct send_pack_args *args,
 +                             struct ref *remote_refs,
 +                             struct ref *failing_ref)
 +{
 +      struct ref *ref;
 +      /* Mark other refs as failed */
 +      for (ref = remote_refs; ref; ref = ref->next) {
 +              if (!ref->peer_ref && !args->send_mirror)
 +                      continue;
 +
 +              switch (ref->status) {
 +              case REF_STATUS_EXPECTING_REPORT:
 +                      ref->status = REF_STATUS_ATOMIC_PUSH_FAILED;
 +                      continue;
 +              default:
 +                      break; /* do nothing */
 +              }
 +      }
 +      return error("atomic push failed for ref %s. status: %d\n",
 +                   failing_ref->name, failing_ref->status);
 +}
 +
+ #define NONCE_LEN_LIMIT 256
+ static void reject_invalid_nonce(const char *nonce, int len)
+ {
+       int i = 0;
+       if (NONCE_LEN_LIMIT <= len)
+               die("the receiving end asked to sign an invalid nonce <%.*s>",
+                   len, nonce);
+       for (i = 0; i < len; i++) {
+               int ch = nonce[i] & 0xFF;
+               if (isalnum(ch) ||
+                   ch == '-' || ch == '.' ||
+                   ch == '/' || ch == '+' ||
+                   ch == '=' || ch == '_')
+                       continue;
+               die("the receiving end asked to sign an invalid nonce <%.*s>",
+                   len, nonce);
+       }
+ }
  int send_pack(struct send_pack_args *args,
              int fd[], struct child_process *conn,
              struct ref *remote_refs,
Unnamed repository; edit this file 'description' to name the repository.