| Commit message (Collapse) | Author | Files | Lines |
|
* parsing.c (substr): Handle tail < head.
This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.
The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:
$ git log -1
commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
Author: <T at h.or>
Date: Mon Apr 23 22:29:16 2012 +0200
Here's what happens:
(this is due to buf=malloc(0); strncpy (buf, head, -1);
where "head" may point to plenty of attacker-specified non-NUL bytes,
so we can overwrite a zero-length heap buffer with arbitrary data)
Invalid write of size 1
at 0x4A09361: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
at 0x4A0884D: malloc (vg_replace_malloc.c:263)
by 0x455C85: xmalloc (wrapper.c:35)
by 0x40894C: substr (parsing.c:60)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
Invalid write of size 1
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd
Invalid write of size 1
at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x502F000
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
This happens when tail - head == -1 here:
(parsing.c)
char *substr(const char *head, const char *tail)
{
char *buf;
buf = xmalloc(tail - head + 1);
strncpy(buf, head, tail - head);
buf[tail - head] = '\0';
return buf;
}
char *parse_user(char *t, char **name, char **email, unsigned long *date)
{
char *p = t;
int mode = 1;
while (p && *p) {
if (mode == 1 && *p == '<') {
*name = substr(t, p - 1);
t = p;
mode++;
} else if (mode == 1 && *p == '\n') {
The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.
And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID. To construct the offending commit, I had to resort to
using "git hash-object".
git init -q foo &&
( cd foo &&
echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
h=$(git cat-file commit HEAD|sed 's/au //' \
|git hash-object -t commit -w --stdin) &&
git co -q -b test $h &&
git br -q -D master &&
git br -q -m test master)
git clone -q --bare foo foo.git
cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit
The valgrind output is what you see above.
AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault. Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
|
|
The value stored to "t" during its initialization gets overwritten in
any case, so just leave it uninitialized. Spotted by clang-analyzer.
Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Returning "*txt" if "txt" is a null pointer is a bad thing. Spotted with
clang-analyzer.
Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
reencode() takes three arguments in the order (txt, from, to), opposed to
reencode_string, which will, like iconv, handle the arguments with from
and to swapped. Fix that (this makes reencode more intuitive).
If src and dst encoding are equivalent, don't do any encoding.
If no special encoding parameter is found within the commit, assume
UTF-8 and explicitly convert to PAGE_ENCODING. The change to reencode()
mentioned above avoids re-encoding a UTF-8 string to UTF-8, for example.
Signed-off-by: Julius Plenz <plenz@cis.fu-berlin.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
When a commit has a specific encoding, this encoding also applies to
the author and committer name and email.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
When parsing commits and tags cgit made too many assumptions about the
formatting of said objects. This patch tries to make the code be more
prepared to handle 'malformed' objects.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This is a generic http-function.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This is a generic function which wanted its own little object file.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This simplifies the code in cgit.c and makes it easier to extend cgit with
new pages/commands.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This removes the global variable which is used to keep track of the
currently selected repository, and adds a new variable in the cgit_context
structure.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This struct will hold all the cgit runtime information currently found in
a multitude of global variables.
The first cleanup removes all querystring-related variables.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
When a commit or tag lacks author/committer/tagger timestamp, do not skip
the next line in the commit/tag object.
Also, do not bother to print timestamps with value 0 as it is close to certain
to be bogus.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This replaces the iconv-support in cgit with similar functions already
existing in git.
Signed-off-by: Lars Hjemli <hjemli@gmai.com>
|
|
|
|
|
|
|
|
|
|
It's rather silly to point into random memory-locations. Also, remove a
call to strdup() used on a literal char *.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Both the commit- and tagparser failed to handle unexpected header fields.
This adds futureproofing by simply skipping any header we don't know/care
about.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
The new function removes all trailing instances of an arbitrary character
from a copy of the supplied char array. This is then used to remove any
trailing slashes from cgit_query_path.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This can be NULL, so try not to segfault.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
If commit object ends with \0 after subject line, then info->subject
was not set.
This commit fixes this and also sets subject to ** empty ** if it
would otherwise be empty, so that there is something to click on.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
cgit_parse_url() didn't check if the path-part of urls contained a
real path or just a trailing slash. This made the log-page die since
the path filtering supplied an invalid path argument. This fixes it.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This makes is possible to use repo-urls like '/pub/scm/git/git.git' and
even add path specifications, like '/pub/scm/git/git.git/log/documentation'.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
There is no point in restricting the number of included config-
files, but there is a point in restricting the nestinglevel
of configfiles: to avoid recursive inclusions. This is easily
achieved by decrementing the static nesting-variable upon exit
from cgit_read_config().
Also fix some whitespace breakage.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This parameter can be used to include another config-file, like
a standalone repository listing.
Suggested in a patch by Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Teach cgit how to extract author info from a tag.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
An empty commit message would trigger a segfault in the current
cgit_parse_commit().
Also, make sure that all char-pointers are properly initialized.
|
|
Convert valid %xx expressions in querystring to ascii, ignore invalid
expressions (i.e. eat the three characters %xx).
Signed-off-by: Lars Hjemli <larsh@hal-2004.(none)>
|
|
Translate '+' to ' ' in querystring parser (still doesn't handle %xx)
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
We want all four of these when showing a commit, so save them in the
commitinfo struct.
Btw: There's probably no good reason to save committer timestamp since
it's already available in commit->date. But it doesn't hurt us either,
and it makes the parser look more complete, so we just do it.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Make a better commit parser, replacing the ugly one in ui-log.c
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|
|
This enables internal caching of page output.
Page requests are split into four groups:
1) repo listing (front page)
2) repo summary
3) repo pages w/symbolic references in query string
4) repo pages w/constant sha1's in query string
Each group has a TTL specified in minutes. When a page is requested, a cached
filename is stat(2)'ed and st_mtime is compared to time(2). If TTL has expired
(or the file didn't exist), the cached file is regenerated.
When generating a cached file, locking is used to avoid parallell processing
of the request. If multiple processes tries to aquire the same lock, the ones
who fail to get the lock serves the (expired) cached file. If the cached file
don't exist, the process instead calls sched_yield(2) before restarting the
request processing.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
|