From 6573faff34eb002535843bbb59365be4ad58a120 Mon Sep 17 00:00:00 2001 From: Peter Anvin Date: Wed, 28 Sep 2005 17:26:44 -0700 Subject: NO_IPV6 support for git daemon --- daemon.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 75 insertions(+), 16 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index a369ce527e..79e72e0bdd 100644 --- a/daemon.c +++ b/daemon.c @@ -1,9 +1,11 @@ #include "cache.h" #include "pkt-line.h" +#include #include #include #include #include +#include #include #include #include @@ -328,6 +330,7 @@ static void handle(int incoming, struct sockaddr *addr, int addrlen) inet_ntop(AF_INET, &sin_addr->sin_addr, addrbuf, sizeof(addrbuf)); port = sin_addr->sin_port; +#ifndef NO_IPV6 } else if (addr->sa_family == AF_INET6) { struct sockaddr_in6 *sin6_addr = (void *) addr; @@ -337,6 +340,7 @@ static void handle(int incoming, struct sockaddr *addr, int addrlen) strcat(buf, "]"); port = sin6_addr->sin6_port; +#endif } loginfo("Connection from %s:%d", addrbuf, port); @@ -369,16 +373,17 @@ static void child_handler(int signo) } } -static int serve(int port) +#ifndef NO_IPV6 + +static int socksetup(int port, int **socklist_p) { - struct addrinfo hints, *ai0, *ai; - int gai; int socknum = 0, *socklist = NULL; int maxfd = -1; fd_set fds_init, fds; char pbuf[NI_MAXSERV]; - signal(SIGCHLD, child_handler); + struct addrinfo hints, *ai0, *ai; + int gai; sprintf(pbuf, "%d", port); memset(&hints, 0, sizeof(hints)); @@ -438,16 +443,59 @@ static int serve(int port) freeaddrinfo(ai0); - if (socknum == 0) - die("unable to allocate any listen sockets on port %u", port); + *socklist_p = socklist; + return socknum; +} + +#else /* NO_IPV6 */ + +static int socksetup(int port, int **socklist_p) +{ + struct sockaddr_in sin; + int sockfd; + + sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (sockfd < 0) + return 0; + + memset(&sin, 0, sizeof sin); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = htonl(INADDR_ANY); + sin.sin_port = htons(port); + + if ( bind(sockfd, (struct sockaddr *)&sin, sizeof sin) < 0 ) { + close(sockfd); + return 0; + } + *socklist_p = malloc(sizeof(int)); + if ( !*socklist_p ) + die("memory allocation failed: %s", strerror(errno)); + **socklist_p = sockfd; +} + +#endif + +static int service_loop(int socknum, int *socklist) +{ + struct pollfd *pfd; + int i; + + pfd = calloc(socknum, sizeof(struct pollfd)); + if (!pfd) + die("memory allocation failed: %s", strerror(errno)); + + for (i = 0; i < socknum; i++) { + pfd[i].fd = socklist[i]; + pfd[i].events = POLLIN; + } + for (;;) { int i; - fds = fds_init; - - if (select(maxfd + 1, &fds, NULL, NULL, NULL) < 0) { + + if (poll(pfd, socknum, 0) < 0) { if (errno != EINTR) { - error("select failed, resuming: %s", + error("poll failed, resuming: %s", strerror(errno)); sleep(1); } @@ -455,12 +503,10 @@ static int serve(int port) } for (i = 0; i < socknum; i++) { - int sockfd = socklist[i]; - - if (FD_ISSET(sockfd, &fds)) { + if (pfd[i].revents & POLLIN) { struct sockaddr_storage ss; int sslen = sizeof(ss); - int incoming = accept(sockfd, (struct sockaddr *)&ss, &sslen); + int incoming = accept(pfd[i].fd, (struct sockaddr *)&ss, &sslen); if (incoming < 0) { switch (errno) { case EAGAIN: @@ -477,6 +523,19 @@ static int serve(int port) } } +static int serve(int port) +{ + int socknum, *socklist; + + signal(SIGCHLD, child_handler); + + socknum = socksetup(port, &socklist); + if (socknum == 0) + die("unable to allocate any listen sockets on port %u", port); + + return service_loop(socknum, socklist); +} + int main(int argc, char **argv) { int port = DEFAULT_GIT_PORT; @@ -526,7 +585,7 @@ int main(int argc, char **argv) if (inetd_mode) { fclose(stderr); //FIXME: workaround return execute(); + } else { + return serve(port); } - - return serve(port); } -- cgit v1.3-5-g9baa From e72456bb67bfcadf3703dc2f8240af7d9d8aebdb Mon Sep 17 00:00:00 2001 From: Peter Anvin Date: Wed, 28 Sep 2005 18:01:55 -0700 Subject: Remove variables not needed when using poll --- daemon.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index 79e72e0bdd..526ac782cf 100644 --- a/daemon.c +++ b/daemon.c @@ -379,7 +379,6 @@ static int socksetup(int port, int **socklist_p) { int socknum = 0, *socklist = NULL; int maxfd = -1; - fd_set fds_init, fds; char pbuf[NI_MAXSERV]; struct addrinfo hints, *ai0, *ai; @@ -396,8 +395,6 @@ static int socksetup(int port, int **socklist_p) if (gai) die("getaddrinfo() failed: %s\n", gai_strerror(gai)); - FD_ZERO(&fds_init); - for (ai = ai0; ai; ai = ai->ai_next) { int sockfd; int *newlist; @@ -436,7 +433,6 @@ static int socksetup(int port, int **socklist_p) socklist = newlist; socklist[socknum++] = sockfd; - FD_SET(sockfd, &fds_init); if (maxfd < sockfd) maxfd = sockfd; } -- cgit v1.3-5-g9baa From d6b89e7bf882648c23bd7fd4598696087487329d Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Fri, 30 Sep 2005 10:46:42 -0700 Subject: Don't need --- daemon.c | 1 - 1 file changed, 1 deletion(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index 8366a33bcb..b6006c7829 100644 --- a/daemon.c +++ b/daemon.c @@ -1,6 +1,5 @@ #include "cache.h" #include "pkt-line.h" -#include #include #include #include -- cgit v1.3-5-g9baa From 1b4713fb9e6ec614e8dbca90b1a57d5ffa2f3fde Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Fri, 30 Sep 2005 10:47:50 -0700 Subject: Use xmalloc/xcalloc --- daemon.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index b6006c7829..6298f53fcf 100644 --- a/daemon.c +++ b/daemon.c @@ -463,9 +463,7 @@ static int socksetup(int port, int **socklist_p) return 0; } - *socklist_p = malloc(sizeof(int)); - if ( !*socklist_p ) - die("memory allocation failed: %s", strerror(errno)); + *socklist_p = xmalloc(sizeof(int)); **socklist_p = sockfd; } @@ -476,9 +474,7 @@ static int service_loop(int socknum, int *socklist) struct pollfd *pfd; int i; - pfd = calloc(socknum, sizeof(struct pollfd)); - if (!pfd) - die("memory allocation failed: %s", strerror(errno)); + pfd = xcalloc(socknum, sizeof(struct pollfd)); for (i = 0; i < socknum; i++) { pfd[i].fd = socklist[i]; -- cgit v1.3-5-g9baa From 7626e49e9f04ac386965d16ae11e130e20ebd518 Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Fri, 30 Sep 2005 10:48:21 -0700 Subject: socklen_t is unsigned int on most Linux platforms --- daemon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index 6298f53fcf..fc5e1c3037 100644 --- a/daemon.c +++ b/daemon.c @@ -496,7 +496,7 @@ static int service_loop(int socknum, int *socklist) for (i = 0; i < socknum; i++) { if (pfd[i].revents & POLLIN) { struct sockaddr_storage ss; - int sslen = sizeof(ss); + unsigned int sslen = sizeof(ss); int incoming = accept(pfd[i].fd, (struct sockaddr *)&ss, &sslen); if (incoming < 0) { switch (errno) { -- cgit v1.3-5-g9baa From 9220282a9c6fae98d326bd10e4f427f1692b71ed Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Fri, 30 Sep 2005 11:01:57 -0700 Subject: Move signal setting into service_loop() --- daemon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index fc5e1c3037..f285a8c98c 100644 --- a/daemon.c +++ b/daemon.c @@ -480,6 +480,8 @@ static int service_loop(int socknum, int *socklist) pfd[i].fd = socklist[i]; pfd[i].events = POLLIN; } + + signal(SIGCHLD, child_handler); for (;;) { int i; @@ -518,8 +520,6 @@ static int serve(int port) { int socknum, *socklist; - signal(SIGCHLD, child_handler); - socknum = socksetup(port, &socklist); if (socknum == 0) die("unable to allocate any listen sockets on port %u", port); -- cgit v1.3-5-g9baa From 230f13225df8b7e7eb0acc91a8c630f9e84967c1 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Sat, 8 Oct 2005 15:54:01 -0700 Subject: Create object subdirectories on demand This makes it possible to have a "sparse" git object subdirectory structure, something that has become much more attractive now that people use pack-files all the time. As a result of pack-files, a git object directory doesn't necessarily have any individual objects lying around, and in that case it's just wasting space to keep the empty first-level object directories around: on many filesystems the 256 empty directories will be aboue 1MB of diskspace. Even more importantly, after you re-pack a project that _used_ to be unpacked, you could be left with huge directories that no longer contain anything, but that waste space and take time to look through. With this change, "git prune-packed" can just do an rmdir() on the directories, and they'll get removed if empty, and re-created on demand. This patch also tries to fix up "write_sha1_from_fd()" to use the new common infrastructure for creating the object files, closing a hole where we might otherwise leave half-written objects in the object database. [jc: I unoptimized the part that really removes the fan-out directories to ease transition. init-db still wastes 1MB of diskspace to hold 256 empty fan-outs, and prune-packed rmdir()'s the grown but empty directories, but runs mkdir() immediately after that -- reducing the saving from 150KB to 146KB. These parts will be re-introduced when everybody has the on-demand capability.] Signed-off-by: Linus Torvalds Signed-off-by: Junio C Hamano --- daemon.c | 2 +- fsck-objects.c | 5 +-- git-rename.perl | 2 +- git-sh-setup.sh | 2 +- prune-packed.c | 5 ++- sha1_file.c | 114 +++++++++++++++++++++++++++++++++++++------------------ t/t0000-basic.sh | 2 +- 7 files changed, 88 insertions(+), 44 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index f285a8c98c..11fa3ed11f 100644 --- a/daemon.c +++ b/daemon.c @@ -142,7 +142,7 @@ static int upload(char *dir, int dirlen) * is ok with us doing this. */ if ((!export_all_trees && access("git-daemon-export-ok", F_OK)) || - access("objects/00", X_OK) || + access("objects/", X_OK) || access("HEAD", R_OK)) { logerror("Not a valid git-daemon-enabled repository: '%s'", dir); return -1; diff --git a/fsck-objects.c b/fsck-objects.c index 65cec7d12b..17d05363e0 100644 --- a/fsck-objects.c +++ b/fsck-objects.c @@ -329,9 +329,8 @@ static int fsck_dir(int i, char *path) DIR *dir = opendir(path); struct dirent *de; - if (!dir) { - return error("missing sha1 directory '%s'", path); - } + if (!dir) + return 0; while ((de = readdir(dir)) != NULL) { char name[100]; diff --git a/git-rename.perl b/git-rename.perl index a28c8c83bb..3b1127b1b2 100755 --- a/git-rename.perl +++ b/git-rename.perl @@ -15,7 +15,7 @@ sub usage($); my $GIT_DIR = $ENV{'GIT_DIR'} || ".git"; unless ( -d $GIT_DIR && -d $GIT_DIR . "/objects" && - -d $GIT_DIR . "/objects/00" && -d $GIT_DIR . "/refs") { + -d $GIT_DIR . "/objects/" && -d $GIT_DIR . "/refs") { usage("Git repository not found."); } diff --git a/git-sh-setup.sh b/git-sh-setup.sh index a0172686a9..dbb98842bf 100755 --- a/git-sh-setup.sh +++ b/git-sh-setup.sh @@ -22,4 +22,4 @@ refs/*) : ;; *) false ;; esac && [ -d "$GIT_DIR/refs" ] && -[ -d "$GIT_OBJECT_DIRECTORY/00" ] +[ -d "$GIT_OBJECT_DIRECTORY/" ] diff --git a/prune-packed.c b/prune-packed.c index 5306e8e5ef..73f0f3a462 100644 --- a/prune-packed.c +++ b/prune-packed.c @@ -26,6 +26,9 @@ static void prune_dir(int i, DIR *dir, char *pathname, int len) else if (unlink(pathname) < 0) error("unable to unlink %s", pathname); } + pathname[len] = 0; + if (rmdir(pathname)) + mkdir(pathname, 0777); } static void prune_packed_objects(void) @@ -46,7 +49,7 @@ static void prune_packed_objects(void) sprintf(pathname + len, "%02x/", i); d = opendir(pathname); if (!d) - die("unable to open %s", pathname); + continue; prune_dir(i, d, pathname, len + 3); closedir(d); } diff --git a/sha1_file.c b/sha1_file.c index 287f618827..baaa4c00da 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -1248,6 +1248,73 @@ char *write_sha1_file_prepare(void *buf, return sha1_file_name(sha1); } +/* + * Link the tempfile to the final place, possibly creating the + * last directory level as you do so. + * + * Returns the errno on failure, 0 on success. + */ +static int link_temp_to_file(const char *tmpfile, char *filename) +{ + int ret; + + if (!link(tmpfile, filename)) + return 0; + + /* + * Try to mkdir the last path component if that failed + * with an ENOENT. + * + * Re-try the "link()" regardless of whether the mkdir + * succeeds, since a race might mean that somebody + * else succeeded. + */ + ret = errno; + if (ret == ENOENT) { + char *dir = strrchr(filename, '/'); + if (dir) { + *dir = 0; + mkdir(filename, 0777); + *dir = '/'; + if (!link(tmpfile, filename)) + return 0; + ret = errno; + } + } + return ret; +} + +/* + * Move the just written object into its final resting place + */ +static int move_temp_to_file(const char *tmpfile, char *filename) +{ + int ret = link_temp_to_file(tmpfile, filename); + if (ret) { + /* + * Coda hack - coda doesn't like cross-directory links, + * so we fall back to a rename, which will mean that it + * won't be able to check collisions, but that's not a + * big deal. + * + * When this succeeds, we just return 0. We have nothing + * left to unlink. + */ + if (ret == EXDEV && !rename(tmpfile, filename)) + return 0; + } + unlink(tmpfile); + if (ret) { + if (ret != EEXIST) { + fprintf(stderr, "unable to write sha1 filename %s: %s", filename, strerror(ret)); + return -1; + } + /* FIXME!!! Collision check here ? */ + } + + return 0; +} + int write_sha1_file(void *buf, unsigned long len, const char *type, unsigned char *returnsha1) { int size; @@ -1257,7 +1324,7 @@ int write_sha1_file(void *buf, unsigned long len, const char *type, unsigned cha char *filename; static char tmpfile[PATH_MAX]; unsigned char hdr[50]; - int fd, hdrlen, ret; + int fd, hdrlen; /* Normally if we have it in the pack then we do not bother writing * it out into .git/objects/??/?{38} file. @@ -1320,32 +1387,7 @@ int write_sha1_file(void *buf, unsigned long len, const char *type, unsigned cha close(fd); free(compressed); - ret = link(tmpfile, filename); - if (ret < 0) { - ret = errno; - - /* - * Coda hack - coda doesn't like cross-directory links, - * so we fall back to a rename, which will mean that it - * won't be able to check collisions, but that's not a - * big deal. - * - * When this succeeds, we just return 0. We have nothing - * left to unlink. - */ - if (ret == EXDEV && !rename(tmpfile, filename)) - return 0; - } - unlink(tmpfile); - if (ret) { - if (ret != EEXIST) { - fprintf(stderr, "unable to write sha1 filename %s: %s", filename, strerror(ret)); - return -1; - } - /* FIXME!!! Collision check here ? */ - } - - return 0; + return move_temp_to_file(tmpfile, filename); } int write_sha1_to_fd(int fd, const unsigned char *sha1) @@ -1420,8 +1462,7 @@ int write_sha1_to_fd(int fd, const unsigned char *sha1) int write_sha1_from_fd(const unsigned char *sha1, int fd, char *buffer, size_t bufsize, size_t *bufposn) { - char *filename = sha1_file_name(sha1); - + char tmpfile[PATH_MAX]; int local; z_stream stream; unsigned char real_sha1[20]; @@ -1429,10 +1470,11 @@ int write_sha1_from_fd(const unsigned char *sha1, int fd, char *buffer, int ret; SHA_CTX c; - local = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0666); + snprintf(tmpfile, sizeof(tmpfile), "%s/obj_XXXXXX", get_object_directory()); + local = mkstemp(tmpfile); if (local < 0) - return error("Couldn't open %s\n", filename); + return error("Couldn't open %s for %s\n", tmpfile, sha1_to_hex(sha1)); memset(&stream, 0, sizeof(stream)); @@ -1462,7 +1504,7 @@ int write_sha1_from_fd(const unsigned char *sha1, int fd, char *buffer, size = read(fd, buffer + *bufposn, bufsize - *bufposn); if (size <= 0) { close(local); - unlink(filename); + unlink(tmpfile); if (!size) return error("Connection closed?"); perror("Reading from connection"); @@ -1475,15 +1517,15 @@ int write_sha1_from_fd(const unsigned char *sha1, int fd, char *buffer, close(local); SHA1_Final(real_sha1, &c); if (ret != Z_STREAM_END) { - unlink(filename); + unlink(tmpfile); return error("File %s corrupted", sha1_to_hex(sha1)); } if (memcmp(sha1, real_sha1, 20)) { - unlink(filename); + unlink(tmpfile); return error("File %s has bad hash\n", sha1_to_hex(sha1)); } - - return 0; + + return move_temp_to_file(tmpfile, sha1_file_name(sha1)); } int has_pack_index(const unsigned char *sha1) diff --git a/t/t0000-basic.sh b/t/t0000-basic.sh index bd940bd09b..5c5f854858 100755 --- a/t/t0000-basic.sh +++ b/t/t0000-basic.sh @@ -28,7 +28,7 @@ test_expect_success \ '.git/objects should be empty after git-init-db in an empty repo.' \ 'cmp -s /dev/null should-be-empty' -# also it should have 258 subdirectories; 256 fan-out, pack, and info. +# also it should have 258 subdirectories; 256 fan-out anymore, pack, and info. # 259 is counting "objects" itself find .git/objects -type d -print >full-of-directories test_expect_success \ -- cgit v1.3-5-g9baa From 3e04c62daab0a8481f907c30414ed246f284a1d9 Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Tue, 18 Oct 2005 18:26:52 -0700 Subject: revised^2: git-daemon extra paranoia, and path DWIM This patch adds some extra paranoia to the git-daemon filename test. In particular, it now rejects pathnames containing //; it also adds a redundant test for pathname absoluteness (belts and suspenders.) A single / at the end of the path is still permitted, however, and the .git and /.git append DWIM stuff is now handled in an integrated manner, which means the resulting path will always be subjected to pathname checks. Signed-off-by: H. Peter Anvin Signed-off-by: Junio C Hamano --- daemon.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 21 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index 11fa3ed11f..9ea6c31cd1 100644 --- a/daemon.c +++ b/daemon.c @@ -80,17 +80,30 @@ static int path_ok(const char *dir) { const char *p = dir; char **pp; - int sl = 1, ndot = 0; + int sl, ndot; + + /* The pathname here should be an absolute path. */ + if ( *p++ != '/' ) + return 0; + + sl = 1; ndot = 0; for (;;) { if ( *p == '.' ) { ndot++; - } else if ( *p == '/' || *p == '\0' ) { + } else if ( *p == '\0' ) { + /* Reject "." and ".." at the end of the path */ if ( sl && ndot > 0 && ndot < 3 ) - return 0; /* . or .. in path */ + return 0; + + /* Otherwise OK */ + break; + } else if ( *p == '/' ) { + /* Refuse "", "." or ".." */ + if ( sl && ndot < 3 ) + return 0; sl = 1; - if ( *p == '\0' ) - break; /* End of string and all is good */ + ndot = 0; } else { sl = ndot = 0; } @@ -99,7 +112,7 @@ static int path_ok(const char *dir) if ( ok_paths && *ok_paths ) { int ok = 0; - int dirlen = strlen(dir); /* read_packet_line can return embedded \0 */ + int dirlen = strlen(dir); for ( pp = ok_paths ; *pp ; pp++ ) { int len = strlen(*pp); @@ -118,22 +131,16 @@ static int path_ok(const char *dir) return 1; /* Path acceptable */ } -static int upload(char *dir, int dirlen) +static int set_dir(const char *dir) { - loginfo("Request for '%s'", dir); - if (!path_ok(dir)) { - logerror("Forbidden directory: %s\n", dir); + errno = EACCES; return -1; } - if (chdir(dir) < 0) { - logerror("Cannot chdir('%s'): %s", dir, strerror(errno)); + if ( chdir(dir) ) return -1; - } - - chdir(".git"); - + /* * Security on the cheap. * @@ -141,10 +148,39 @@ static int upload(char *dir, int dirlen) * a "git-daemon-export-ok" flag that says that the other side * is ok with us doing this. */ - if ((!export_all_trees && access("git-daemon-export-ok", F_OK)) || - access("objects/", X_OK) || - access("HEAD", R_OK)) { - logerror("Not a valid git-daemon-enabled repository: '%s'", dir); + if (!export_all_trees && access("git-daemon-export-ok", F_OK)) { + errno = EACCES; + return -1; + } + + if (access("objects/", X_OK) || access("HEAD", R_OK)) { + errno = EINVAL; + return -1; + } + + /* If all this passed, we're OK */ + return 0; +} + +static int upload(char *dir) +{ + /* Try paths in this order */ + static const char *paths[] = { "%s", "%s/.git", "%s.git", "%s.git/.git", NULL }; + const char **pp; + /* Enough for the longest path above including final null */ + int buflen = strlen(dir)+10; + char *dirbuf = xmalloc(buflen); + + loginfo("Request for '%s'", dir); + + for ( pp = paths ; *pp ; pp++ ) { + snprintf(dirbuf, buflen, *pp, dir); + if ( !set_dir(dirbuf) ) + break; + } + + if ( !*pp ) { + logerror("Cannot set directory '%s': %s", dir, strerror(errno)); return -1; } @@ -170,7 +206,7 @@ static int execute(void) line[--len] = 0; if (!strncmp("git-upload-pack /", line, 17)) - return upload(line + 16, len - 16); + return upload(line+16); logerror("Protocol error: '%s'", line); return -1; -- cgit v1.3-5-g9baa From 960deccb26a5bee6c6cd63d50e8272f540a27b19 Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Wed, 19 Oct 2005 14:27:01 -0700 Subject: git-daemon: timeout, eliminate double DWIM It turns out that not only did git-daemon do DWIM, but git-upload-pack does as well. This is bad; security checks have to be performed *after* canonicalization, not before. Additionally, the current git-daemon can be trivially DoSed by spewing SYNs at the target port. This patch adds a --strict option to git-upload-pack to disable all DWIM, a --timeout option to git-daemon and git-upload-pack, and an --init-timeout option to git-daemon (which is typically set to a much lower value, since the initial request should come immediately from the client.) Signed-off-by: H. Peter Anvin Signed-off-by: Junio C Hamano --- daemon.c | 21 +++++++++++++++++++-- upload-pack.c | 45 ++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 59 insertions(+), 7 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index 9ea6c31cd1..c3381b344c 100644 --- a/daemon.c +++ b/daemon.c @@ -13,7 +13,9 @@ static int log_syslog; static int verbose; -static const char daemon_usage[] = "git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all] [directory...]"; +static const char daemon_usage[] = +"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n" +" [--timeout=n] [--init-timeout=n] [directory...]"; /* List of acceptable pathname prefixes */ static char **ok_paths = NULL; @@ -21,6 +23,9 @@ static char **ok_paths = NULL; /* If this is set, git-daemon-export-ok is not required */ static int export_all_trees = 0; +/* Timeout, and initial timeout */ +static unsigned int timeout = 0; +static unsigned int init_timeout = 0; static void logreport(int priority, const char *err, va_list params) { @@ -170,6 +175,8 @@ static int upload(char *dir) /* Enough for the longest path above including final null */ int buflen = strlen(dir)+10; char *dirbuf = xmalloc(buflen); + /* Timeout as string */ + char timeout_buf[64]; loginfo("Request for '%s'", dir); @@ -190,8 +197,10 @@ static int upload(char *dir) */ signal(SIGTERM, SIG_IGN); + snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout); + /* git-upload-pack only ever reads stuff, so this is safe */ - execlp("git-upload-pack", "git-upload-pack", ".", NULL); + execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL); return -1; } @@ -200,7 +209,9 @@ static int execute(void) static char line[1000]; int len; + alarm(init_timeout ? init_timeout : timeout); len = packet_read_line(0, line, sizeof(line)); + alarm(0); if (len && line[len-1] == '\n') line[--len] = 0; @@ -598,6 +609,12 @@ int main(int argc, char **argv) export_all_trees = 1; continue; } + if (!strncmp(arg, "--timeout=", 10)) { + timeout = atoi(arg+10); + } + if (!strncmp(arg, "--init-timeout=", 10)) { + init_timeout = atoi(arg+15); + } if (!strcmp(arg, "--")) { ok_paths = &argv[i+1]; break; diff --git a/upload-pack.c b/upload-pack.c index 21b4b8b757..8a41cafaaa 100644 --- a/upload-pack.c +++ b/upload-pack.c @@ -4,13 +4,19 @@ #include "tag.h" #include "object.h" -static const char upload_pack_usage[] = "git-upload-pack "; +static const char upload_pack_usage[] = "git-upload-pack [--strict] [--timeout=nn] "; #define MAX_HAS (16) #define MAX_NEEDS (256) static int nr_has = 0, nr_needs = 0; static unsigned char has_sha1[MAX_HAS][20]; static unsigned char needs_sha1[MAX_NEEDS][20]; +static unsigned int timeout = 0; + +static void reset_timeout(void) +{ + alarm(timeout); +} static int strip(char *line, int len) { @@ -100,6 +106,7 @@ static int get_common_commits(void) for(;;) { len = packet_read_line(0, line, sizeof(line)); + reset_timeout(); if (!len) { packet_write(1, "NAK\n"); @@ -122,6 +129,7 @@ static int get_common_commits(void) for (;;) { len = packet_read_line(0, line, sizeof(line)); + reset_timeout(); if (!len) continue; len = strip(line, len); @@ -145,6 +153,7 @@ static int receive_needs(void) for (;;) { unsigned char dummy[20], *sha1_buf; len = packet_read_line(0, line, sizeof(line)); + reset_timeout(); if (!len) return needs; @@ -179,6 +188,7 @@ static int send_ref(const char *refname, const unsigned char *sha1) static int upload_pack(void) { + reset_timeout(); head_ref(send_ref); for_each_ref(send_ref); packet_flush(1); @@ -193,18 +203,43 @@ static int upload_pack(void) int main(int argc, char **argv) { const char *dir; - if (argc != 2) + int i; + int strict = 0; + + for (i = 1; i < argc; i++) { + char *arg = argv[i]; + + if (arg[0] != '-') + break; + if (!strcmp(arg, "--strict")) { + strict = 1; + continue; + } + if (!strncmp(arg, "--timeout=", 10)) { + timeout = atoi(arg+10); + continue; + } + if (!strcmp(arg, "--")) { + i++; + break; + } + } + + if (i != argc-1) usage(upload_pack_usage); - dir = argv[1]; + dir = argv[i]; /* chdir to the directory. If that fails, try appending ".git" */ if (chdir(dir) < 0) { - if (chdir(mkpath("%s.git", dir)) < 0) + if (strict || chdir(mkpath("%s.git", dir)) < 0) die("git-upload-pack unable to chdir to %s", dir); } - chdir(".git"); + if (!strict) + chdir(".git"); + if (access("objects", X_OK) || access("refs", X_OK)) die("git-upload-pack: %s doesn't seem to be a git archive", dir); + putenv("GIT_DIR=."); upload_pack(); return 0; -- cgit v1.3-5-g9baa From 7872e0556746c70e49c5558d271d35b1fbfb1680 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Thu, 20 Oct 2005 00:52:32 -0700 Subject: git-daemon poll() spinning out of control With the '0' timeout given to poll, it returns instantly without any events on my system, causing git-daemon to consume all the CPU time. Use -1 as the timeout so poll() only returns in case of EINTR or actually events being available. Signed-off-by: Jens Axboe Signed-off-by: Junio C Hamano --- daemon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index c3381b344c..b3bcd7a60a 100644 --- a/daemon.c +++ b/daemon.c @@ -533,7 +533,7 @@ static int service_loop(int socknum, int *socklist) for (;;) { int i; - if (poll(pfd, socknum, 0) < 0) { + if (poll(pfd, socknum, -1) < 0) { if (errno != EINTR) { error("poll failed, resuming: %s", strerror(errno)); -- cgit v1.3-5-g9baa From 54e31a205c63d8bc8cd3dcf6956f81d3b968ea48 Mon Sep 17 00:00:00 2001 From: "H. Peter Anvin" Date: Thu, 20 Oct 2005 18:34:58 -0700 Subject: Fix git-daemon argument-parsing bug Fix stupid bug in parsing the --init-timeout option. Signed-off-by: H. Peter Anvin Signed-off-by: Junio C Hamano --- daemon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index b3bcd7a60a..2b56d7d225 100644 --- a/daemon.c +++ b/daemon.c @@ -612,7 +612,7 @@ int main(int argc, char **argv) if (!strncmp(arg, "--timeout=", 10)) { timeout = atoi(arg+10); } - if (!strncmp(arg, "--init-timeout=", 10)) { + if (!strncmp(arg, "--init-timeout=", 15)) { init_timeout = atoi(arg+15); } if (!strcmp(arg, "--")) { -- cgit v1.3-5-g9baa From 979e32fa1483a32faa4ec331e29b357e5eb5ef25 Mon Sep 17 00:00:00 2001 From: "Randal L. Schwartz" Date: Tue, 25 Oct 2005 16:29:09 -0700 Subject: fix daemon.c to compile on OpenBSD I can confirm that the following patch lets the current origin compile on OpenBSD. If you could apply this until you sort out the rest of the namespace issue, I would be happy. Thanks. Signed-off-by: Junio C Hamano --- daemon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'daemon.c') diff --git a/daemon.c b/daemon.c index 0c6182fb93..c3f86410d4 100644 --- a/daemon.c +++ b/daemon.c @@ -1,5 +1,3 @@ -#include "cache.h" -#include "pkt-line.h" #include #include #include @@ -9,6 +7,8 @@ #include #include #include +#include "pkt-line.h" +#include "cache.h" static int log_syslog; static int verbose; -- cgit v1.3-5-g9baa