mirror of
https://github.com/git/git.git
synced 2024-11-23 18:05:29 +08:00
Merge branch 'jc/push-cert'
The "git push --signed" protocol extension did not limit what the "nonce" that is a server-chosen string can contain or how long it can be, which was unnecessarily lax. Limit both the length and the alphabet to a reasonably small space that can still have enough entropy. * jc/push-cert: push --signed: tighten what the receiving end can ask to sign
This commit is contained in:
commit
268d5bc2b2
23
send-pack.c
23
send-pack.c
@ -308,6 +308,28 @@ static int atomic_push_failure(struct send_pack_args *args,
|
||||
failing_ref->name, failing_ref->status);
|
||||
}
|
||||
|
||||
#define NONCE_LEN_LIMIT 256
|
||||
|
||||
static void reject_invalid_nonce(const char *nonce, int len)
|
||||
{
|
||||
int i = 0;
|
||||
|
||||
if (NONCE_LEN_LIMIT <= len)
|
||||
die("the receiving end asked to sign an invalid nonce <%.*s>",
|
||||
len, nonce);
|
||||
|
||||
for (i = 0; i < len; i++) {
|
||||
int ch = nonce[i] & 0xFF;
|
||||
if (isalnum(ch) ||
|
||||
ch == '-' || ch == '.' ||
|
||||
ch == '/' || ch == '+' ||
|
||||
ch == '=' || ch == '_')
|
||||
continue;
|
||||
die("the receiving end asked to sign an invalid nonce <%.*s>",
|
||||
len, nonce);
|
||||
}
|
||||
}
|
||||
|
||||
int send_pack(struct send_pack_args *args,
|
||||
int fd[], struct child_process *conn,
|
||||
struct ref *remote_refs,
|
||||
@ -354,6 +376,7 @@ int send_pack(struct send_pack_args *args,
|
||||
push_cert_nonce = server_feature_value("push-cert", &len);
|
||||
if (!push_cert_nonce)
|
||||
die(_("the receiving end does not support --signed push"));
|
||||
reject_invalid_nonce(push_cert_nonce, len);
|
||||
push_cert_nonce = xmemdupz(push_cert_nonce, len);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user