[PATCH] daemon: sanitize all directory separators

[PATCH] daemon: sanitize all directory separators

[René Scharfe.]

When sanitizing client-supplied strings on Windows, also strip off
backslashes, not just slashes.

Signed-off-by: René Scharfe <l.s.r@web.de>
---
 daemon.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/daemon.c b/daemon.c
index 2ab7ea82eb..0561c19ee8 100644
--- a/daemon.c
+++ b/daemon.c
@@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host,

 /*
  * Sanitize a string from the client so that it's OK to be inserted into a
- * filesystem path. Specifically, we disallow slashes, runs of "..", and
- * trailing and leading dots, which means that the client cannot escape
- * our base path via ".." traversal.
+ * filesystem path. Specifically, we disallow directory separators, runs
+ * of "..", and trailing and leading dots, which means that the client
+ * cannot escape our base path via ".." traversal.
  */
 static void sanitize_client(struct strbuf *out, const char *in)
 {
 	for (; *in; in++) {
-		if (*in == '/')
+		if (is_dir_sep(*in))
 			continue;
 		if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.'))
 			continue;
--
2.30.2

Re: [PATCH] daemon: sanitize all directory separators

[Jeff King]

On Thu, Mar 25, 2021 at 05:21:24PM +0100, René Scharfe. wrote:

> When sanitizing client-supplied strings on Windows, also strip off
> backslashes, not just slashes.
> [...]
>  static void sanitize_client(struct strbuf *out, const char *in)
>  {
>  	for (; *in; in++) {
> -		if (*in == '/')
> +		if (is_dir_sep(*in))

Yeah, this seems like the obviously correct thing to be doing.

-Peff

Re: [PATCH] daemon: sanitize all directory separators

[Johannes Schindelin]

[-- Attachment #1: Type: text/plain, Size: 2275 bytes --]

Hi Junio & René,

On Thu, 25 Mar 2021, Junio C Hamano wrote:

> René Scharfe. <l.s.r@web.de> writes:
>
> > When sanitizing client-supplied strings on Windows, also strip off
> > backslashes, not just slashes.
> >
> > Signed-off-by: René Scharfe <l.s.r@web.de>
> > ---
> >  daemon.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
>
> I do not know how common is it to run "git daemon" on Windows, but
> it would be nice to have at least an ack from Windows person.

Here is my ACK.

I do not have any precise numbers, of course, as we do not have any
telemetry in Git for Windows (for better or worse).

There _are_ occasional reports about something in `git daemon` not
working; Most notably, you have to turn off the sideband to make `push`
work.

> > diff --git a/daemon.c b/daemon.c
> > index 2ab7ea82eb..0561c19ee8 100644
> > --- a/daemon.c
> > +++ b/daemon.c
> > @@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host,
> >
> >  /*
> >   * Sanitize a string from the client so that it's OK to be inserted into a
> > - * filesystem path. Specifically, we disallow slashes, runs of "..", and
> > - * trailing and leading dots, which means that the client cannot escape
> > - * our base path via ".." traversal.
> > + * filesystem path. Specifically, we disallow directory separators, runs
> > + * of "..", and trailing and leading dots, which means that the client
> > + * cannot escape our base path via ".." traversal.
>
> Not a new problem, but "runs of '..'" confused me.  If I am reading
> the code right, we disallow directory separators (by ignoring) and
> two or more '.' in a row (by squashing them into a single '.').

Indeed, the code is a bit funny in that respect. But at least it keeps us
somewhat safe: there is currently no way to break out of the directory to
the parent directory, whether with this path or not. (Phew!)

Thanks,
Dscho

>
> >   */
> >  static void sanitize_client(struct strbuf *out, const char *in)
> >  {
> >  	for (; *in; in++) {
> > -		if (*in == '/')
> > +		if (is_dir_sep(*in))
> >  			continue;
> >  		if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.'))
> >  			continue;
> > --
> > 2.30.2
>
> Thanks.
>