summaryrefslogtreecommitdiff
path: root/daemon.c
diff options
context:
space:
mode:
authorH. Peter Anvin <hpa@zytor.com>2005-10-19 21:27:01 (GMT)
committerJunio C Hamano <junkio@cox.net>2005-10-19 21:27:01 (GMT)
commit960deccb26a5bee6c6cd63d50e8272f540a27b19 (patch)
treea5921439da568a46cbb9db25e3d2fa6403167a56 /daemon.c
parentf8765797a41a39f4dfc7030098c38283e6461a83 (diff)
downloadgit-960deccb26a5bee6c6cd63d50e8272f540a27b19.zip
git-960deccb26a5bee6c6cd63d50e8272f540a27b19.tar.gz
git-960deccb26a5bee6c6cd63d50e8272f540a27b19.tar.bz2
git-daemon: timeout, eliminate double DWIM
It turns out that not only did git-daemon do DWIM, but git-upload-pack does as well. This is bad; security checks have to be performed *after* canonicalization, not before. Additionally, the current git-daemon can be trivially DoSed by spewing SYNs at the target port. This patch adds a --strict option to git-upload-pack to disable all DWIM, a --timeout option to git-daemon and git-upload-pack, and an --init-timeout option to git-daemon (which is typically set to a much lower value, since the initial request should come immediately from the client.) Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
Diffstat (limited to 'daemon.c')
-rw-r--r--daemon.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/daemon.c b/daemon.c
index 9ea6c31..c3381b3 100644
--- a/daemon.c
+++ b/daemon.c
@@ -13,7 +13,9 @@
static int log_syslog;
static int verbose;
-static const char daemon_usage[] = "git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all] [directory...]";
+static const char daemon_usage[] =
+"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n"
+" [--timeout=n] [--init-timeout=n] [directory...]";
/* List of acceptable pathname prefixes */
static char **ok_paths = NULL;
@@ -21,6 +23,9 @@ static char **ok_paths = NULL;
/* If this is set, git-daemon-export-ok is not required */
static int export_all_trees = 0;
+/* Timeout, and initial timeout */
+static unsigned int timeout = 0;
+static unsigned int init_timeout = 0;
static void logreport(int priority, const char *err, va_list params)
{
@@ -170,6 +175,8 @@ static int upload(char *dir)
/* Enough for the longest path above including final null */
int buflen = strlen(dir)+10;
char *dirbuf = xmalloc(buflen);
+ /* Timeout as string */
+ char timeout_buf[64];
loginfo("Request for '%s'", dir);
@@ -190,8 +197,10 @@ static int upload(char *dir)
*/
signal(SIGTERM, SIG_IGN);
+ snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout);
+
/* git-upload-pack only ever reads stuff, so this is safe */
- execlp("git-upload-pack", "git-upload-pack", ".", NULL);
+ execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL);
return -1;
}
@@ -200,7 +209,9 @@ static int execute(void)
static char line[1000];
int len;
+ alarm(init_timeout ? init_timeout : timeout);
len = packet_read_line(0, line, sizeof(line));
+ alarm(0);
if (len && line[len-1] == '\n')
line[--len] = 0;
@@ -598,6 +609,12 @@ int main(int argc, char **argv)
export_all_trees = 1;
continue;
}
+ if (!strncmp(arg, "--timeout=", 10)) {
+ timeout = atoi(arg+10);
+ }
+ if (!strncmp(arg, "--init-timeout=", 10)) {
+ init_timeout = atoi(arg+15);
+ }
if (!strcmp(arg, "--")) {
ok_paths = &argv[i+1];
break;