mirror/git
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-09-28 03:00:25 +02:00
Code
50d3413740
git/http.h
Jeff King 50d3413740 http: make redirects more obvious 
We instruct curl to always follow HTTP redirects. This is
convenient, but it creates opportunities for malicious
servers to create confusing situations. For instance,
imagine Alice is a git user with access to a private
repository on Bob's server. Mallory runs her own server and
wants to access objects from Bob's repository.

Mallory may try a few tricks that involve asking Alice to
clone from her, build on top, and then push the result:

  1. Mallory may simply redirect all fetch requests to Bob's
     server. Git will transparently follow those redirects
     and fetch Bob's history, which Alice may believe she
     got from Mallory. The subsequent push seems like it is
     just feeding Mallory back her own objects, but is
     actually leaking Bob's objects. There is nothing in
     git's output to indicate that Bob's repository was
     involved at all.

     The downside (for Mallory) of this attack is that Alice
     will have received Bob's entire repository, and is
     likely to notice that when building on top of it.

  2. If Mallory happens to know the sha1 of some object X in
     Bob's repository, she can instead build her own history
     that references that object. She then runs a dumb http
     server, and Alice's client will fetch each object
     individually. When it asks for X, Mallory redirects her
     to Bob's server. The end result is that Alice obtains
     objects from Bob, but they may be buried deep in
     history. Alice is less likely to notice.

Both of these attacks are fairly hard to pull off. There's a
social component in getting Mallory to convince Alice to
work with her. Alice may be prompted for credentials in
accessing Bob's repository (but not always, if she is using
a credential helper that caches). Attack (1) requires a
certain amount of obliviousness on Alice's part while making
a new commit. Attack (2) requires that Mallory knows a sha1
in Bob's repository, that Bob's server supports dumb http,
and that the object in question is loose on Bob's server.

But we can probably make things a bit more obvious without
any loss of functionality. This patch does two things to
that end.

First, when we encounter a whole-repo redirect during the
initial ref discovery, we now inform the user on stderr,
making attack (1) much more obvious.

Second, the decision to follow redirects is now
configurable. The truly paranoid can set the new
http.followRedirects to false to avoid any redirection
entirely. But for a more practical default, we will disallow
redirects only after the initial ref discovery. This is
enough to thwart attacks similar to (2), while still
allowing the common use of redirects at the repository
level. Since c93c92f30 (http: update base URLs when we see
redirects, 2013-09-28) we re-root all further requests from
the redirect destination, which should generally mean that
no further redirection is necessary.

As an escape hatch, in case there really is a server that
needs to redirect individual requests, the user can set
http.followRedirects to "true" (and this can be done on a
per-server basis via http.*.followRedirects config).

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06 12:32:48 -08:00

237 lines
6.4 KiB
C
Raw Blame History

#ifndef HTTP_H
#define HTTP_H
#include "cache.h"
#include <curl/curl.h>
#include <curl/easy.h>
#include "strbuf.h"
#include "remote.h"
#include "url.h"
/*
* We detect based on the cURL version if multi-transfer is
* usable in this implementation and define this symbol accordingly.
* This shouldn't be set by the Makefile or by the user (e.g. via CFLAGS).
*/
#undef USE_CURL_MULTI
#if LIBCURL_VERSION_NUM >= 0x071000
#define USE_CURL_MULTI
#define DEFAULT_MAX_REQUESTS 5
#endif
#if LIBCURL_VERSION_NUM < 0x070704
#define curl_global_cleanup() do { /* nothing */ } while (0)
#endif
#if LIBCURL_VERSION_NUM < 0x070800
#define curl_global_init(a) do { /* nothing */ } while (0)
#endif
#if (LIBCURL_VERSION_NUM < 0x070c04) || (LIBCURL_VERSION_NUM == 0x071000)
#define NO_CURL_EASY_DUPHANDLE
#endif
#if LIBCURL_VERSION_NUM < 0x070a03
#define CURLE_HTTP_RETURNED_ERROR CURLE_HTTP_NOT_FOUND
#endif
#if LIBCURL_VERSION_NUM < 0x070c03
#define NO_CURL_IOCTL
#endif
/*
* CURLOPT_USE_SSL was known as CURLOPT_FTP_SSL up to 7.16.4,
* and the constants were known as CURLFTPSSL_*
*/
#if !defined(CURLOPT_USE_SSL) && defined(CURLOPT_FTP_SSL)
#define CURLOPT_USE_SSL CURLOPT_FTP_SSL
#define CURLUSESSL_TRY CURLFTPSSL_TRY
#endif
struct slot_results {
CURLcode curl_result;
long http_code;
long auth_avail;
long http_connectcode;
};
struct active_request_slot {
CURL *curl;
int in_use;
CURLcode curl_result;
long http_code;
int *finished;
struct slot_results *results;
void *callback_data;
void (*callback_func)(void *data);
struct active_request_slot *next;
};
struct buffer {
struct strbuf buf;
size_t posn;
};
/* Curl request read/write callbacks */
extern size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *strbuf);
extern size_t fwrite_buffer(char *ptr, size_t eltsize, size_t nmemb, void *strbuf);
extern size_t fwrite_null(char *ptr, size_t eltsize, size_t nmemb, void *strbuf);
#ifndef NO_CURL_IOCTL
extern curlioerr ioctl_buffer(CURL *handle, int cmd, void *clientp);
#endif
/* Slot lifecycle functions */
extern struct active_request_slot *get_active_slot(void);
extern int start_active_slot(struct active_request_slot *slot);
extern void run_active_slot(struct active_request_slot *slot);
extern void finish_all_active_slots(void);
/*
* This will run one slot to completion in a blocking manner, similar to how
* curl_easy_perform would work (but we don't want to use that, because
* we do not want to intermingle calls to curl_multi and curl_easy).
*
*/
int run_one_slot(struct active_request_slot *slot,
struct slot_results *results);
#ifdef USE_CURL_MULTI
extern void fill_active_slots(void);
extern void add_fill_function(void *data, int (*fill)(void *));
extern void step_active_slots(void);
#endif
extern void http_init(struct remote *remote, const char *url,
int proactive_auth);
extern void http_cleanup(void);
extern struct curl_slist *http_copy_default_headers(void);
extern long int git_curl_ipresolve;
extern int active_requests;
extern int http_is_verbose;
extern size_t http_post_buffer;
extern struct credential http_auth;
extern char curl_errorstr[CURL_ERROR_SIZE];
enum http_follow_config {
HTTP_FOLLOW_NONE,
HTTP_FOLLOW_ALWAYS,
HTTP_FOLLOW_INITIAL
};
extern enum http_follow_config http_follow_config;
static inline int missing__target(int code, int result)
{
return /* file:// URL -- do we ever use one??? */
(result == CURLE_FILE_COULDNT_READ_FILE) ||
/* http:// and https:// URL */
(code == 404 && result == CURLE_HTTP_RETURNED_ERROR) ||
/* ftp:// URL */
(code == 550 && result == CURLE_FTP_COULDNT_RETR_FILE)
;
}
#define missing_target(a) missing__target((a)->http_code, (a)->curl_result)
/* Helpers for modifying and creating URLs */
extern void append_remote_object_url(struct strbuf *buf, const char *url,
const char *hex,
int only_two_digit_prefix);
extern char *get_remote_object_url(const char *url, const char *hex,
int only_two_digit_prefix);
/* Options for http_get_*() */
struct http_get_options {
unsigned no_cache:1,
keep_error:1,
initial_request:1;
/* If non-NULL, returns the content-type of the response. */
struct strbuf *content_type;
/*
* If non-NULL, and content_type above is non-NULL, returns
* the charset parameter from the content-type. If none is
* present, returns an empty string.
*/
struct strbuf *charset;
/*
* If non-NULL, returns the URL we ended up at, including any
* redirects we followed.
*/
struct strbuf *effective_url;
/*
* If both base_url and effective_url are non-NULL, the base URL will
* be munged to reflect any redirections going from the requested url
* to effective_url. See the definition of update_url_from_redirect
* for details.
*/
struct strbuf *base_url;
};
/* Return values for http_get_*() */
#define HTTP_OK 0
#define HTTP_MISSING_TARGET 1
#define HTTP_ERROR 2
#define HTTP_START_FAILED 3
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
/*
* Requests a URL and stores the result in a strbuf.
*
* If the result pointer is NULL, a HTTP HEAD request is made instead of GET.
*/
int http_get_strbuf(const char *url, struct strbuf *result, struct http_get_options *options);
extern int http_fetch_ref(const char *base, struct ref *ref);
/* Helpers for fetching packs */
extern int http_get_info_packs(const char *base_url,
struct packed_git **packs_head);
struct http_pack_request {
char *url;
struct packed_git *target;
struct packed_git **lst;
FILE *packfile;
char tmpfile[PATH_MAX];
struct active_request_slot *slot;
};
extern struct http_pack_request *new_http_pack_request(
struct packed_git *target, const char *base_url);
extern int finish_http_pack_request(struct http_pack_request *preq);
extern void release_http_pack_request(struct http_pack_request *preq);
/* Helpers for fetching object */
struct http_object_request {
char *url;
char tmpfile[PATH_MAX];
int localfile;
CURLcode curl_result;
char errorstr[CURL_ERROR_SIZE];
long http_code;
unsigned char sha1[20];
unsigned char real_sha1[20];
git_SHA_CTX c;
git_zstream stream;
int zret;
int rename;
struct active_request_slot *slot;
};
extern struct http_object_request *new_http_object_request(
const char *base_url, unsigned char *sha1);
extern void process_http_object_request(struct http_object_request *freq);
extern int finish_http_object_request(struct http_object_request *freq);
extern void abort_http_object_request(struct http_object_request *freq);
extern void release_http_object_request(struct http_object_request *freq);
#endif /* HTTP_H */
View Git Blame Copy Permalink