mirror/ git
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-04-28 19:45:10 +02:00
Code

Merge branch 'rs/daemon-sanitize-dir-sep' 

"git daemon" has been tightened against systems that take backslash
as directory separator.

* rs/daemon-sanitize-dir-sep:
  daemon: sanitize all directory separators
This commit is contained in:
Junio C Hamano 2021-04-08 13:23:26 -07:00
parent 1b31224e59 9a7f1ce8b7
commit bde35a2a93
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
daemon.c
View File

@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host,
/* /*
* Sanitize a string from the client so that it's OK to be inserted into a * Sanitize a string from the client so that it's OK to be inserted into a
* filesystem path. Specifically, we disallow slashes, runs of "..", and * filesystem path. Specifically, we disallow directory separators, runs
* trailing and leading dots, which means that the client cannot escape * of "..", and trailing and leading dots, which means that the client
* our base path via ".." traversal. * cannot escape our base path via ".." traversal.
*/ */
static void sanitize_client(struct strbuf *out, const char *in) static void sanitize_client(struct strbuf *out, const char *in)
{ {
for (; *in; in++) { for (; *in; in++) {
if (*in == '/') if (is_dir_sep(*in))
continue; continue;
if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.')) if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.'))
continue; continue;