|
|
|
|
/* parsing.c: parsing of config files
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2006-2014 cgit Development Team <cgit@lists.zx2c4.com>
|
|
|
|
|
*
|
|
|
|
|
* Licensed under GNU General Public License v2
|
|
|
|
|
* (see COPYING for full license text)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "cgit.h"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* url syntax: [repo ['/' cmd [ '/' path]]]
|
|
|
|
|
* repo: any valid repo url, may contain '/'
|
|
|
|
|
* cmd: log | commit | diff | tree | view | blob | snapshot
|
|
|
|
|
* path: any valid path, may contain '/'
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
void cgit_parse_url(const char *url)
|
|
|
|
|
{
|
|
|
|
|
char *c, *cmd, *p;
|
|
|
|
|
struct cgit_repo *repo;
|
|
|
|
|
|
|
|
|
|
if (!url || url[0] == '\0')
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
ctx.qry.page = NULL;
|
|
|
|
|
ctx.repo = cgit_get_repoinfo(url);
|
|
|
|
|
if (ctx.repo) {
|
|
|
|
|
ctx.qry.repo = ctx.repo->url;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmd = NULL;
|
|
|
|
|
c = strchr(url, '/');
|
|
|
|
|
while (c) {
|
|
|
|
|
c[0] = '\0';
|
|
|
|
|
repo = cgit_get_repoinfo(url);
|
|
|
|
|
if (repo) {
|
|
|
|
|
ctx.repo = repo;
|
|
|
|
|
cmd = c;
|
|
|
|
|
}
|
|
|
|
|
c[0] = '/';
|
|
|
|
|
c = strchr(c + 1, '/');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ctx.repo) {
|
|
|
|
|
ctx.qry.repo = ctx.repo->url;
|
|
|
|
|
p = strchr(cmd + 1, '/');
|
|
|
|
|
if (p) {
|
|
|
|
|
p[0] = '\0';
|
|
|
|
|
if (p[1])
|
|
|
|
|
ctx.qry.path = trim_end(p + 1, '/');
|
|
|
|
|
}
|
|
|
|
|
if (cmd[1])
|
|
|
|
|
ctx.qry.page = xstrdup(cmd + 1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static char *substr(const char *head, const char *tail)
|
|
|
|
|
{
|
|
|
|
|
char *buf;
|
|
|
|
|
|
do not write outside heap buffer
* parsing.c (substr): Handle tail < head.
This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.
The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:
$ git log -1
commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
Author: <T at h.or>
Date: Mon Apr 23 22:29:16 2012 +0200
Here's what happens:
(this is due to buf=malloc(0); strncpy (buf, head, -1);
where "head" may point to plenty of attacker-specified non-NUL bytes,
so we can overwrite a zero-length heap buffer with arbitrary data)
Invalid write of size 1
at 0x4A09361: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
at 0x4A0884D: malloc (vg_replace_malloc.c:263)
by 0x455C85: xmalloc (wrapper.c:35)
by 0x40894C: substr (parsing.c:60)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
Invalid write of size 1
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd
Invalid write of size 1
at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x502F000
at 0x4A09400: strncpy (mc_replace_strmem.c:463)
by 0x408977: substr (parsing.c:61)
by 0x4089EF: parse_user (parsing.c:73)
by 0x408D10: cgit_parse_commit (parsing.c:153)
by 0x40A540: cgit_mk_refinfo (shared.c:171)
by 0x40A581: cgit_refs_cb (shared.c:181)
by 0x43DEB3: do_for_each_ref (refs.c:690)
by 0x41075E: cgit_print_branches (ui-refs.c:191)
by 0x416EF2: cgit_print_summary (ui-summary.c:56)
by 0x40780A: summary_fn (cmd.c:120)
by 0x40667A: process_request (cgit.c:544)
by 0x404078: cache_process (cache.c:322)
This happens when tail - head == -1 here:
(parsing.c)
char *substr(const char *head, const char *tail)
{
char *buf;
buf = xmalloc(tail - head + 1);
strncpy(buf, head, tail - head);
buf[tail - head] = '\0';
return buf;
}
char *parse_user(char *t, char **name, char **email, unsigned long *date)
{
char *p = t;
int mode = 1;
while (p && *p) {
if (mode == 1 && *p == '<') {
*name = substr(t, p - 1);
t = p;
mode++;
} else if (mode == 1 && *p == '\n') {
The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.
And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID. To construct the offending commit, I had to resort to
using "git hash-object".
git init -q foo &&
( cd foo &&
echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
h=$(git cat-file commit HEAD|sed 's/au //' \
|git hash-object -t commit -w --stdin) &&
git co -q -b test $h &&
git br -q -D master &&
git br -q -m test master)
git clone -q --bare foo foo.git
cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit
The valgrind output is what you see above.
AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault. Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
12 years ago
|
|
|
if (tail < head)
|
|
|
|
|
return xstrdup("");
|
|
|
|
|
buf = xmalloc(tail - head + 1);
|
|
|
|
|
strlcpy(buf, head, tail - head + 1);
|
|
|
|
|
return buf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void parse_user(const char *t, char **name, char **email, unsigned long *date, int *tz)
|
|
|
|
|
{
|
|
|
|
|
struct ident_split ident;
|
|
|
|
|
unsigned email_len;
|
|
|
|
|
|
|
|
|
|
if (!split_ident_line(&ident, t, strchrnul(t, '\n') - t)) {
|
|
|
|
|
*name = substr(ident.name_begin, ident.name_end);
|
|
|
|
|
|
|
|
|
|
email_len = ident.mail_end - ident.mail_begin;
|
|
|
|
|
*email = xmalloc(strlen("<") + email_len + strlen(">") + 1);
|
|
|
|
|
xsnprintf(*email, email_len + 3, "<%.*s>", email_len, ident.mail_begin);
|
|
|
|
|
|
|
|
|
|
if (ident.date_begin)
|
|
|
|
|
*date = strtoul(ident.date_begin, NULL, 10);
|
|
|
|
|
if (ident.tz_begin)
|
|
|
|
|
*tz = atoi(ident.tz_begin);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef NO_ICONV
|
|
|
|
|
#define reencode(a, b, c)
|
|
|
|
|
#else
|
|
|
|
|
static const char *reencode(char **txt, const char *src_enc, const char *dst_enc)
|
|
|
|
|
{
|
|
|
|
|
char *tmp;
|
|
|
|
|
|
|
|
|
|
if (!txt)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (!*txt || !src_enc || !dst_enc)
|
|
|
|
|
return *txt;
|
|
|
|
|
|
|
|
|
|
/* no encoding needed if src_enc equals dst_enc */
|
|
|
|
|
if (!strcasecmp(src_enc, dst_enc))
|
|
|
|
|
return *txt;
|
|
|
|
|
|
|
|
|
|
tmp = reencode_string(*txt, dst_enc, src_enc);
|
|
|
|
|
if (tmp) {
|
|
|
|
|
free(*txt);
|
|
|
|
|
*txt = tmp;
|
|
|
|
|
}
|
|
|
|
|
return *txt;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
static const char *next_header_line(const char *p)
|
|
|
|
|
{
|
|
|
|
|
p = strchr(p, '\n');
|
|
|
|
|
if (!p)
|
|
|
|
|
return NULL;
|
|
|
|
|
return p + 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int end_of_header(const char *p)
|
|
|
|
|
{
|
|
|
|
|
return !p || (*p == '\n');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct commitinfo *cgit_parse_commit(struct commit *commit)
|
|
|
|
|
{
|
|
|
|
|
const int sha1hex_len = 40;
|
|
|
|
|
struct commitinfo *ret;
|
|
|
|
|
const char *p = get_cached_commit_buffer(the_repository, commit, NULL);
|
|
|
|
|
const char *t;
|
|
|
|
|
|
|
|
|
|
ret = xcalloc(1, sizeof(struct commitinfo));
|
|
|
|
|
ret->commit = commit;
|
|
|
|
|
|
|
|
|
|
if (!p)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
if (!skip_prefix(p, "tree ", &p))
|
|
|
|
|
die("Bad commit: %s", oid_to_hex(&commit->object.oid));
|
|
|
|
|
p += sha1hex_len + 1;
|
|
|
|
|
|
|
|
|
|
while (skip_prefix(p, "parent ", &p))
|
|
|
|
|
p += sha1hex_len + 1;
|
|
|
|
|
|
|
|
|
|
if (p && skip_prefix(p, "author ", &p)) {
|
|
|
|
|
parse_user(p, &ret->author, &ret->author_email,
|
|
|
|
|
&ret->author_date, &ret->author_tz);
|
|
|
|
|
p = next_header_line(p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p && skip_prefix(p, "committer ", &p)) {
|
|
|
|
|
parse_user(p, &ret->committer, &ret->committer_email,
|
|
|
|
|
&ret->committer_date, &ret->committer_tz);
|
|
|
|
|
p = next_header_line(p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p && skip_prefix(p, "encoding ", &p)) {
|
|
|
|
|
t = strchr(p, '\n');
|
|
|
|
|
if (t) {
|
|
|
|
|
ret->msg_encoding = substr(p, t + 1);
|
|
|
|
|
p = t + 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ret->msg_encoding)
|
|
|
|
|
ret->msg_encoding = xstrdup("UTF-8");
|
|
|
|
|
|
|
|
|
|
while (!end_of_header(p))
|
|
|
|
|
p = next_header_line(p);
|
|
|
|
|
while (p && *p == '\n')
|
|
|
|
|
p++;
|
|
|
|
|
if (!p)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
t = strchrnul(p, '\n');
|
|
|
|
|
ret->subject = substr(p, t);
|
|
|
|
|
while (*t == '\n')
|
|
|
|
|
t++;
|
|
|
|
|
ret->msg = xstrdup(t);
|
|
|
|
|
|
|
|
|
|
reencode(&ret->author, ret->msg_encoding, PAGE_ENCODING);
|
|
|
|
|
reencode(&ret->author_email, ret->msg_encoding, PAGE_ENCODING);
|
|
|
|
|
reencode(&ret->committer, ret->msg_encoding, PAGE_ENCODING);
|
|
|
|
|
reencode(&ret->committer_email, ret->msg_encoding, PAGE_ENCODING);
|
|
|
|
|
reencode(&ret->subject, ret->msg_encoding, PAGE_ENCODING);
|
|
|
|
|
reencode(&ret->msg, ret->msg_encoding, PAGE_ENCODING);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct taginfo *cgit_parse_tag(struct tag *tag)
|
|
|
|
|
{
|
|
|
|
|
void *data;
|
|
|
|
|
enum object_type type;
|
|
|
|
|
unsigned long size;
|
|
|
|
|
const char *p;
|
|
|
|
|
struct taginfo *ret = NULL;
|
|
|
|
|
|
|
|
|
|
data = read_object_file(&tag->object.oid, &type, &size);
|
|
|
|
|
if (!data || type != OBJ_TAG)
|
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
|
|
ret = xcalloc(1, sizeof(struct taginfo));
|
|
|
|
|
|
|
|
|
|
for (p = data; !end_of_header(p); p = next_header_line(p)) {
|
|
|
|
|
if (skip_prefix(p, "tagger ", &p)) {
|
|
|
|
|
parse_user(p, &ret->tagger, &ret->tagger_email,
|
|
|
|
|
&ret->tagger_date, &ret->tagger_tz);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (p && *p == '\n')
|
|
|
|
|
p++;
|
|
|
|
|
|
|
|
|
|
if (p && *p)
|
|
|
|
|
ret->msg = xstrdup(p);
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
free(data);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
