path: root/t/lib-httpd
diff options
authorShawn Pearce <>2013-01-31 21:02:07 (GMT)
committerJunio C Hamano <>2013-02-04 18:22:36 (GMT)
commit4656bf47fca857df51b5d6f4b7b052192b3b2317 (patch)
tree91e4d6cf951f2964de99d454ec89e426753ac453 /t/lib-httpd
parente1b6ff44d61bcdd91280c3f7c3c5ace32d4b7c52 (diff)
Verify Content-Type from smart HTTP servers
Before parsing a suspected smart-HTTP response verify the returned Content-Type matches the standard. This protects a client from attempting to process a payload that smells like a smart-HTTP server response. JGit has been doing this check on all responses since the dawn of time. I mistakenly failed to include it in git-core when smart HTTP was introduced. At the time I didn't know how to get the Content-Type from libcurl. I punted, meant to circle back and fix this, and just plain forgot about it. Signed-off-by: Shawn Pearce <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 't/lib-httpd')
2 files changed, 15 insertions, 0 deletions
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index fe76e84..938b4cf 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -62,9 +62,13 @@ Alias /auth/dumb/ www/auth/dumb/
ScriptAliasMatch /smart_*[^/]*/(.*) ${GIT_EXEC_PATH}/git-http-backend/$1
+ScriptAlias /broken_smart/
<Directory ${GIT_EXEC_PATH}>
Options FollowSymlinks
+ Options ExecCGI
<Files ${GIT_EXEC_PATH}/git-http-backend>
Options ExecCGI
diff --git a/t/lib-httpd/ b/t/lib-httpd/
new file mode 100755
index 0000000..f7ebfff
--- /dev/null
+++ b/t/lib-httpd/
@@ -0,0 +1,11 @@
+printf "Content-Type: text/%s\n" "html"
+printf "%s\n" "001e# service=git-upload-pack"
+printf "%s" "0000"
+printf "%s%c%s%s\n" \
+ "00a58681d9f286a48b08f37b3a095330da16689e3693 HEAD" \
+ 0 \
+ " include-tag multi_ack_detailed multi_ack ofs-delta" \
+ " side-band side-band-64k thin-pack no-progress shallow no-done "
+printf "%s" "0000"