diff options
| author | Junio C Hamano <gitster@pobox.com> | 2025-06-15 21:52:28 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2025-06-15 21:54:23 -0700 |
| commit | e1775c06465436437f2db0d3b6f59a61cfde0f2d (patch) | |
| tree | ee5fb0758ceb486902d80df4edb6d63ee5f3e53e /bundle-uri.c | |
| parent | 16bd9f20a403117f2e0d9bcda6c6e621d3763e77 (diff) | |
| parent | aadf8ae518afd80b73d49eff8aff475161aa5157 (diff) | |
| download | git-e1775c06465436437f2db0d3b6f59a61cfde0f2d.tar.gz | |
Sync with 2.49.1
Diffstat (limited to 'bundle-uri.c')
| -rw-r--r-- | bundle-uri.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/bundle-uri.c b/bundle-uri.c index 9accf157b4..0050c62bd5 100644 --- a/bundle-uri.c +++ b/bundle-uri.c @@ -297,6 +297,28 @@ static int download_https_uri_to_file(const char *file, const char *uri) struct strbuf line = STRBUF_INIT; int found_get = 0; + /* + * The protocol we speak with git-remote-https(1) uses a space to + * separate between URI and file, so the URI itself must not contain a + * space. If it did, an adversary could change the location where the + * downloaded file is being written to. + * + * Similarly, we use newlines to separate commands from one another. + * Consequently, neither the URI nor the file must contain a newline or + * otherwise an adversary could inject arbitrary commands. + * + * TODO: Restricting newlines in the target paths may break valid + * usecases, even if those are a bit more on the esoteric side. + * If this ever becomes a problem we should probably think about + * alternatives. One alternative could be to use NUL-delimited + * requests in git-remote-http(1). Another alternative could be + * to use URL quoting. + */ + if (strpbrk(uri, " \n")) + return error("bundle-uri: URI is malformed: '%s'", file); + if (strchr(file, '\n')) + return error("bundle-uri: filename is malformed: '%s'", file); + strvec_pushl(&cp.args, "git-remote-https", uri, NULL); cp.err = -1; cp.in = -1; |