Commit Graph

271 Commits

Author SHA1 Message Date
Nguyễn Thái Ngọc Duy
82246b765b daemon: be strict at parsing parameters --[no-]informative-errors
Use strcmp() instead of starts_with()/!prefixcmp() to stop accepting
--informative-errors-just-a-little

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-12-20 14:05:07 -08:00
Christian Couder
5955654823 replace {pre,suf}fixcmp() with {starts,ends}_with()
Leaving only the function definitions and declarations so that any
new topic in flight can still make use of the old functions, replace
existing uses of the prefixcmp() and suffixcmp() with new API
functions.

The change can be recreated by mechanically applying this:

    $ git grep -l -e prefixcmp -e suffixcmp -- \*.c |
      grep -v strbuf\\.c |
      xargs perl -pi -e '
        s|!prefixcmp\(|starts_with\(|g;
        s|prefixcmp\(|!starts_with\(|g;
        s|!suffixcmp\(|ends_with\(|g;
        s|suffixcmp\(|!ends_with\(|g;
      '

on the result of preparatory changes in this series.

Signed-off-by: Christian Couder <chriscool@tuxfamily.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-12-05 14:13:21 -08:00
Junio C Hamano
0c544a22f9 Merge branch 'sb/misc-fixes'
Assorted code cleanups and a minor fix.

* sb/misc-fixes:
  diff.c: Do not initialize a variable, which gets reassigned anyway.
  commit: Fix a memory leak in determine_author_info
  daemon.c:handle: Remove unneeded check for null pointer.
2013-07-24 19:20:59 -07:00
Junio C Hamano
cb29dfde48 Merge branch 'tr/protect-low-3-fds'
When "git" is spawned in such a way that any of the low 3 file
descriptors is closed, our first open() may yield file descriptor 2,
and writing error message to it would screw things up in a big way.

* tr/protect-low-3-fds:
  git: ensure 0/1/2 are open in main()
  daemon/shell: refactor redirection of 0/1/2 from /dev/null
2013-07-22 11:23:35 -07:00
Thomas Rast
1d999ddd1d daemon/shell: refactor redirection of 0/1/2 from /dev/null
Both daemon.c and shell.c contain logic to open FDs 0/1/2 from
/dev/null if they are not already open.  Move the function in daemon.c
to setup.c and use it in shell.c, too.

While there, remove a 'not' that inverted the meaning of the comment.
The point is indeed to *avoid* messing up.

Signed-off-by: Thomas Rast <trast@inf.ethz.ch>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-07-17 12:50:34 -07:00
Stefan Beller
5d9cfa29d2 daemon.c:handle: Remove unneeded check for null pointer.
addr doesn't need to be checked at that line as it it already accessed
7 lines before in the if (addr->sa_family).

Signed-off-by: Stefan Beller <stefanbeller@googlemail.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-07-15 09:45:11 -07:00
Junio C Hamano
e013bdab0f Merge branch 'jk/pkt-line-cleanup'
Clean up pkt-line API, implementation and its callers to make them
more robust.

* jk/pkt-line-cleanup:
  do not use GIT_TRACE_PACKET=3 in tests
  remote-curl: always parse incoming refs
  remote-curl: move ref-parsing code up in file
  remote-curl: pass buffer straight to get_remote_heads
  teach get_remote_heads to read from a memory buffer
  pkt-line: share buffer/descriptor reading implementation
  pkt-line: provide a LARGE_PACKET_MAX static buffer
  pkt-line: move LARGE_PACKET_MAX definition from sideband
  pkt-line: teach packet_read_line to chomp newlines
  pkt-line: provide a generic reading function with options
  pkt-line: drop safe_write function
  pkt-line: move a misplaced comment
  write_or_die: raise SIGPIPE when we get EPIPE
  upload-archive: use argv_array to store client arguments
  upload-archive: do not copy repo name
  send-pack: prefer prefixcmp over memcmp in receive_status
  fetch-pack: fix out-of-bounds buffer offset in get_ack
  upload-pack: remove packet debugging harness
  upload-pack: do not add duplicate objects to shallow list
  upload-pack: use get_sha1_hex to parse "shallow" lines
2013-04-01 08:59:37 -07:00
Junio C Hamano
2b0dda5318 Merge branch 'dm/ni-maxhost-may-be-missing' into maint-1.8.1
Some sources failed to compile on systems that lack NI_MAXHOST in
their system header.

* dm/ni-maxhost-may-be-missing:
  git-compat-util.h: Provide missing netdb.h definitions
2013-03-25 13:45:42 -07:00
Junio C Hamano
31ccd35df4 Merge branch 'dm/ni-maxhost-may-be-missing'
On systems without NI_MAXHOST in their system header files,
connect.c (hence most of the transport) did not compile.

* dm/ni-maxhost-may-be-missing:
  git-compat-util.h: Provide missing netdb.h definitions
2013-03-19 12:18:21 -07:00
David Michael
3b130ade45 git-compat-util.h: Provide missing netdb.h definitions
Some platforms may lack the NI_MAXHOST and NI_MAXSERV values in their
system headers, so ensure they are available.

Signed-off-by: David Michael <fedora.dm0@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-25 12:16:08 -08:00
Jeff King
4981fe750b pkt-line: share buffer/descriptor reading implementation
The packet_read function reads from a descriptor. The
packet_get_line function is similar, but reads from an
in-memory buffer, and uses a completely separate
implementation. This patch teaches the generic packet_read
function to accept either source, and we can do away with
packet_get_line's implementation.

There are two other differences to account for between the
old and new functions. The first is that we used to read
into a strbuf, but now read into a fixed size buffer. The
only two callers are fine with that, and in fact it
simplifies their code, since they can use the same
static-buffer interface as the rest of the packet_read_line
callers (and we provide a similar convenience wrapper for
reading from a buffer rather than a descriptor).

This is technically an externally-visible behavior change in
that we used to accept arbitrary sized packets up to 65532
bytes, and now cap out at LARGE_PACKET_MAX, 65520. In
practice this doesn't matter, as we use it only for parsing
smart-http headers (of which there is exactly one defined,
and it is small and fixed-size). And any extension headers
would be breaking the protocol to go over LARGE_PACKET_MAX
anyway.

The other difference is that packet_get_line would return
on error rather than dying. However, both callers of
packet_get_line are actually improved by dying.

The first caller does its own error checking, but we can
drop that; as a result, we'll actually get more specific
reporting about protocol breakage when packet_read dies
internally. The only downside is that packet_read will not
print the smart-http URL that failed, but that's not a big
deal; anybody not debugging can already see the remote's URL
already, and anybody debugging would want to run with
GIT_CURL_VERBOSE anyway to see way more information.

The second caller, which is just trying to skip past any
extra smart-http headers (of which there are none defined,
but which we allow to keep room for future expansion), did
not error check at all. As a result, it would treat an error
just like a flush packet. The resulting mess would generally
cause an error later in get_remote_heads, but now we get
error reporting much closer to the source of the problem.

Brown-paper-bag-fixes-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-24 00:14:15 -08:00
Jeff King
74543a0423 pkt-line: provide a LARGE_PACKET_MAX static buffer
Most of the callers of packet_read_line just read into a
static 1000-byte buffer (callers which handle arbitrary
binary data already use LARGE_PACKET_MAX). This works fine
in practice, because:

  1. The only variable-sized data in these lines is a ref
     name, and refs tend to be a lot shorter than 1000
     characters.

  2. When sending ref lines, git-core always limits itself
     to 1000 byte packets.

However, the only limit given in the protocol specification
in Documentation/technical/protocol-common.txt is
LARGE_PACKET_MAX; the 1000 byte limit is mentioned only in
pack-protocol.txt, and then only describing what we write,
not as a specific limit for readers.

This patch lets us bump the 1000-byte limit to
LARGE_PACKET_MAX. Even though git-core will never write a
packet where this makes a difference, there are two good
reasons to do this:

  1. Other git implementations may have followed
     protocol-common.txt and used a larger maximum size. We
     don't bump into it in practice because it would involve
     very long ref names.

  2. We may want to increase the 1000-byte limit one day.
     Since packets are transferred before any capabilities,
     it's difficult to do this in a backwards-compatible
     way. But if we bump the size of buffer the readers can
     handle, eventually older versions of git will be
     obsolete enough that we can justify bumping the
     writers, as well. We don't have plans to do this
     anytime soon, but there is no reason not to start the
     clock ticking now.

Just bumping all of the reading bufs to LARGE_PACKET_MAX
would waste memory. Instead, since most readers just read
into a temporary buffer anyway, let's provide a single
static buffer that all callers can use. We can further wrap
this detail away by having the packet_read_line wrapper just
use the buffer transparently and return a pointer to the
static storage.  That covers most of the cases, and the
remaining ones already read into their own LARGE_PACKET_MAX
buffers.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-20 13:42:22 -08:00
Jeff King
819b929d33 pkt-line: teach packet_read_line to chomp newlines
The packets sent during ref negotiation are all terminated
by newline; even though the code to chomp these newlines is
short, we end up doing it in a lot of places.

This patch teaches packet_read_line to auto-chomp the
trailing newline; this lets us get rid of a lot of inline
chomping code.

As a result, some call-sites which are not reading
line-oriented data (e.g., when reading chunks of packfiles
alongside sideband) transition away from packet_read_line to
the generic packet_read interface. This patch converts all
of the existing callsites.

Since the function signature of packet_read_line does not
change (but its behavior does), there is a possibility of
new callsites being introduced in later commits, silently
introducing an incompatibility.  However, since a later
patch in this series will change the signature, such a
commit would have to be merged directly into this commit,
not to the tip of the series; we can therefore ignore the
issue.

This is an internal cleanup and should produce no change of
behavior in the normal case. However, there is one corner
case to note. Callers of packet_read_line have never been
able to tell the difference between a flush packet ("0000")
and an empty packet ("0004"), as both cause packet_read_line
to return a length of 0. Readers treat them identically,
even though Documentation/technical/protocol-common.txt says
we must not; it also says that implementations should not
send an empty pkt-line.

By stripping out the newline before the result gets to the
caller, we will now treat the newline-only packet ("0005\n")
the same as an empty packet, which in turn gets treated like
a flush packet. In practice this doesn't matter, as neither
empty nor newline-only packets are part of git's protocols
(at least not for the line-oriented bits, and readers who
are not expecting line-oriented packets will be calling
packet_read directly, anyway). But even if we do decide to
care about the distinction later, it is orthogonal to this
patch.  The right place to tighten would be to stop treating
empty packets as flush packets, and this change does not
make doing so any harder.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-02-20 13:42:21 -08:00
Junio C Hamano
93741e4a91 daemon: --access-hook option
The --access-hook option to "git daemon" specifies an external
command to be run every time a client connects, with

 - service name (e.g. "upload-pack", etc.),
 - path to the repository,
 - hostname (%H),
 - canonical hostname (%CH),
 - ip address (%IP),
 - tcp port (%P)

as its command line arguments.  The external command can decide to
decline the service by exiting with a non-zero status (or to allow it
by exiting with a zero status).  It can also look at the $REMOTE_ADDR
and $REMOTE_PORT environment variables to learn about the requestor
when making this decision.

The external command can optionally write a single line to its
standard output to be sent to the requestor as an error message when
it declines the service.

Acked-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-08-15 11:01:55 -07:00
Clemens Buchacher
f6a34cfbb4 git-daemon: produce output when ready
If a client tries to connect after git-daemon starts, but before it
opens a listening socket, the connection will fail. Output "[PID]
Ready to rumble]" after opening the socket successfully in order to
inform the user that the daemon is now ready to receive
connections.

Signed-off-by: Clemens Buchacher <drizzd@aon.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-01-08 15:08:03 -08:00
Ævar Arnfjörð Bjarmason
5e9637c629 i18n: add infrastructure for translating Git with gettext
Change the skeleton implementation of i18n in Git to one that can show
localized strings to users for our C, Shell and Perl programs using
either GNU libintl or the Solaris gettext implementation.

This new internationalization support is enabled by default. If
gettext isn't available, or if Git is compiled with
NO_GETTEXT=YesPlease, Git falls back on its current behavior of
showing interface messages in English. When using the autoconf script
we'll auto-detect if the gettext libraries are installed and act
appropriately.

This change is somewhat large because as well as adding a C, Shell and
Perl i18n interface we're adding a lot of tests for them, and for
those tests to work we need a skeleton PO file to actually test
translations. A minimal Icelandic translation is included for this
purpose. Icelandic includes multi-byte characters which makes it easy
to test various edge cases, and it's a language I happen to
understand.

The rest of the commit message goes into detail about various
sub-parts of this commit.

= Installation

Gettext .mo files will be installed and looked for in the standard
$(prefix)/share/locale path. GIT_TEXTDOMAINDIR can also be set to
override that, but that's only intended to be used to test Git itself.

= Perl

Perl code that's to be localized should use the new Git::I18n
module. It imports a __ function into the caller's package by default.

Instead of using the high level Locale::TextDomain interface I've
opted to use the low-level (equivalent to the C interface)
Locale::Messages module, which Locale::TextDomain itself uses.

Locale::TextDomain does a lot of redundant work we don't need, and
some of it would potentially introduce bugs. It tries to set the
$TEXTDOMAIN based on package of the caller, and has its own
hardcoded paths where it'll search for messages.

I found it easier just to completely avoid it rather than try to
circumvent its behavior. In any case, this is an issue wholly
internal Git::I18N. Its guts can be changed later if that's deemed
necessary.

See <AANLkTilYD_NyIZMyj9dHtVk-ylVBfvyxpCC7982LWnVd@mail.gmail.com> for
a further elaboration on this topic.

= Shell

Shell code that's to be localized should use the git-sh-i18n
library. It's basically just a wrapper for the system's gettext.sh.

If gettext.sh isn't available we'll fall back on gettext(1) if it's
available. The latter is available without the former on Solaris,
which has its own non-GNU gettext implementation. We also need to
emulate eval_gettext() there.

If neither are present we'll use a dumb printf(1) fall-through
wrapper.

= About libcharset.h and langinfo.h

We use libcharset to query the character set of the current locale if
it's available. I.e. we'll use it instead of nl_langinfo if
HAVE_LIBCHARSET_H is set.

The GNU gettext manual recommends using langinfo.h's
nl_langinfo(CODESET) to acquire the current character set, but on
systems that have libcharset.h's locale_charset() using the latter is
either saner, or the only option on those systems.

GNU and Solaris have a nl_langinfo(CODESET), FreeBSD can use either,
but MinGW and some others need to use libcharset.h's locale_charset()
instead.

=Credits

This patch is based on work by Jeff Epler <jepler@unpythonic.net> who
did the initial Makefile / C work, and a lot of comments from the Git
mailing list, including Jonathan Nieder, Jakub Narebski, Johannes
Sixt, Erik Faye-Lund, Peter Krefting, Junio C Hamano, Thomas Rast and
others.

[jc: squashed a small Makefile fix from Ramsay]

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-12-05 20:46:55 -08:00
Junio C Hamano
e75a59adfc Merge branch 'jk/daemon-msgs'
* jk/daemon-msgs:
  daemon: give friendlier error messages to clients

Conflicts:
	daemon.c
2011-10-21 16:04:32 -07:00
Junio C Hamano
afd6284a7f Merge branch 'ph/transport-with-gitfile'
* ph/transport-with-gitfile:
  Fix is_gitfile() for files too small or larger than PATH_MAX to be a gitfile
  Add test showing git-fetch groks gitfiles
  Teach transport about the gitfile mechanism
  Learn to handle gitfiles in enter_repo
  enter_repo: do not modify input
2011-10-21 16:04:32 -07:00
Jeff King
d5570f4d2c daemon: give friendlier error messages to clients
When the git-daemon is asked about an inaccessible repository, it simply
hangs up the connection without saying anything further. This makes it
hard to distinguish between a repository we cannot access (e.g., due to
typo), and a service or network outage.

Instead, let's print an "ERR" line, which git clients understand since
v1.6.1 (2008-12-24).

Because there is a risk of leaking information about non-exported
repositories, by default all errors simply say "access denied or
repository not exported". Sites which don't have hidden repositories, or
don't care, can pass a flag to turn on more specific messages.

Signed-off-by: Jeff King <peff@peff.net>
Helped-by: Sitaram Chamarty <sitaramc@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-10-15 21:15:06 -07:00
Junio C Hamano
522a54568e Merge branch 'nd/git-daemon-error-msgs'
* nd/git-daemon-error-msgs:
  daemon: return "access denied" if a service is not allowed
2011-10-13 19:03:21 -07:00
Erik Faye-Lund
1c64b48e67 enter_repo: do not modify input
entr_repo(..., 0) currently modifies the input to strip away
trailing slashes. This means that we some times need to copy the
input to keep the original.

Change it to unconditionally copy it into the used_path buffer so
we can safely use the input without having to copy it. Also store
a working copy in validated_path up-front before we start
resolving anything.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Phil Hord <hordp@cisco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-10-04 13:30:38 -07:00
Nguyễn Thái Ngọc Duy
089d82e8a6 daemon: log errors if we could not use some sockets
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-10-03 15:38:07 -07:00
Nguyễn Thái Ngọc Duy
723f7a1387 daemon: return "access denied" if a service is not allowed
The message is chosen to avoid leaking information, yet let users know
that they are deliberately not allowed to use the service, not a fault
in service configuration or the service itself.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-10-03 15:20:25 -07:00
Stephen Boyd
c2e86addb8 Fix sparse warnings
Fix warnings from 'make check'.

 - These files don't include 'builtin.h' causing sparse to complain that
   cmd_* isn't declared:

   builtin/clone.c:364, builtin/fetch-pack.c:797,
   builtin/fmt-merge-msg.c:34, builtin/hash-object.c:78,
   builtin/merge-index.c:69, builtin/merge-recursive.c:22
   builtin/merge-tree.c:341, builtin/mktag.c:156, builtin/notes.c:426
   builtin/notes.c:822, builtin/pack-redundant.c:596,
   builtin/pack-refs.c:10, builtin/patch-id.c:60, builtin/patch-id.c:149,
   builtin/remote.c:1512, builtin/remote-ext.c:240,
   builtin/remote-fd.c:53, builtin/reset.c:236, builtin/send-pack.c:384,
   builtin/unpack-file.c:25, builtin/var.c:75

 - These files have symbols which should be marked static since they're
   only file scope:

   submodule.c:12, diff.c:631, replace_object.c:92, submodule.c:13,
   submodule.c:14, trace.c:78, transport.c:195, transport-helper.c:79,
   unpack-trees.c:19, url.c:3, url.c:18, url.c:104, url.c:117, url.c:123,
   url.c:129, url.c:136, thread-utils.c:21, thread-utils.c:48

 - These files redeclare symbols to be different types:

   builtin/index-pack.c:210, parse-options.c:564, parse-options.c:571,
   usage.c:49, usage.c:58, usage.c:63, usage.c:72

 - These files use a literal integer 0 when they really should use a NULL
   pointer:

   daemon.c:663, fast-import.c:2942, imap-send.c:1072, notes-merge.c:362

While we're in the area, clean up some unused #includes in builtin files
(mostly exec_cmd.h).

Signed-off-by: Stephen Boyd <bebarino@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-03-22 10:16:54 -07:00
Jonathan Nieder
081f84ee9e daemon: support <directory> arguments again
Ever since v1.7.4-rc0~125^2~8 (daemon: use run-command api for async
serving, 2010-11-04), git daemon spawns child processes instead of
forking to serve requests.  The child processes learn that they are
being run for this purpose from the presence of the --serve command
line flag.

When running with <ok_path> arguments, the --serve flag is treated
as one of the path arguments and the special child behavior does
not kick in.  So the child becomes an ordinary git daemon process,
notices that all the addresses it needs are in use, and exits with
the message "fatal: unable to allocate any listen sockets on port
9418".

Fix it by putting --serve at the beginning of the command line,
where the flag cannot be mistaken for a path argument.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Acked-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-01-04 11:23:42 -08:00
Junio C Hamano
ec3f7d5d0f Merge branch 'md/interix'
* md/interix:
  Interix: add configure checks
  add support for the SUA layer (interix; windows)

Conflicts:
	git-compat-util.h
2010-11-29 17:52:34 -08:00
Erik Faye-Lund
a666b472c7 daemon: opt-out on features that require posix
Windows does not supply the POSIX-functions fork(), setuuid(), setgid(),
setsid() and initgroups(). Error out if --user or --detach is specified
when if so.

MinGW doesn't have prototypes and headers for inet_ntop and inet_pton,
so include our implementation instead. MSVC does, so avoid doing so
there.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:52 -07:00
Erik Faye-Lund
9cddf56ef1 daemon: make --inetd and --detach incompatible
Since --inetd makes main return with the result of execute() before
daemonize is gets called, these two options are already incompatible.

Document it, and add an error if attempted.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:52 -07:00
Erik Faye-Lund
c295cf0660 daemon: use socklen_t
Windows's accept()-function takes the last argument as an int, but glibc
takes an unsigned int. Use socklen_t to get rid of a warning. This is
basically a revert of 7fa0908, but we have already been depending on
socklen_t existing since June 2006 (commit 5b276ee4). I guess this means
that socklen_t IS defined on OSX after all - at least in recent headers.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:52 -07:00
Erik Faye-Lund
f9c87be6b4 daemon: get remote host address from root-process
Get remote host in the process that accept() and pass it through
the REMOTE_ADDR environment variable to the handler-process.
Introduce the REMOTE_PORT environmen variable for the port.

Use these variables for reporting instead of doing
getpeername(0, ...), which doesn't work on Windows.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:51 -07:00
Erik Faye-Lund
48cfaea108 daemon: use full buffered mode for stderr
Windows doesn't support line buffered mode for file
streams, so let's just use full buffered mode with
a big buffer ("4096 should be enough for everyone")
and add explicit flushing.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:51 -07:00
Erik Faye-Lund
30e1560230 daemon: use run-command api for async serving
fork() is only available on POSIX, so to support git-daemon
on Windows we have to use something else.

Instead we invent the flag --serve, which is a stripped down
version of --inetd-mode. We use start_command() to call
git-daemon with this flag appended to serve clients.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:50 -07:00
Mike Pape
088d880247 mingw: implement syslog
Syslog does not usually exist on Windows, so implement our own using
Window's ReportEvent mechanism.

Strings containing "%1" gets expanded into them selves by ReportEvent,
resulting in an unreadable string. "%2" and above is not a problem.
Unfortunately, on Windows an IPv6 address can contain "%1", so expand
"%1" to "% 1" before reporting. "%%1" is also a problem for ReportEvent,
but that string cannot occur in an IPv6 address.

Signed-off-by: Mike Pape <dotzenlabs@gmail.com>
Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-11-04 16:53:49 -07:00
Markus Duft
2844923d62 add support for the SUA layer (interix; windows)
* add required build options to Makefile.
* introduce new NO_INTTYPES_H for systems lacking inttypes; code
  includes stdint.h instead, if this is set.
* introduce new NO_SYS_POLL_H for systems lacking sys/poll.h; code
  includes poll.h instead, if this is set.
* introduce NO_INITGROUPS. initgroups() call is simply omitted.

Signed-off-by: Markus Duft <mduft@gentoo.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-10-28 17:52:22 -07:00
Junio C Hamano
e6202dfe00 Merge branch 'as/daemon-multi-listen'
* as/daemon-multi-listen:
  daemon: allow more than one host address given via --listen
  daemon: add helper function named_sock_setup
2010-10-26 21:50:03 -07:00
Štěpán Němec
62b4698e55 Use angles for placeholders consistently
Signed-off-by: Štěpán Němec <stepnem@gmail.com>
Acked-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-10-08 12:29:52 -07:00
Alexander Sulfrian
3a3a29c1da daemon: allow more than one host address given via --listen
When the host has more than one interfaces, daemon can listen to all
of them by not giving any --listen option, or listen to only one.
Teach it to accept more than one --listen options.

Remove the hostname information form the die, if no socket could be
created. It would only trigger when no interface out of either all
interface or the ones specified on the command line with --listen
options, can be listened to and so the user does know which "host" was
asked.

Signed-off-by: Alexander Sulfrian <alexander@sulfrian.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-09-28 11:05:35 -07:00
Alexander Sulfrian
2caa321503 daemon: add helper function named_sock_setup
Add named_sock_setup as helper function for socksetup to make it
easier to create more than one listen sockets. named_sock_setup could
be called more than one time and add the new sockets to the supplied
socklist_p.

Signed-off-by: Alexander Sulfrian <alexander@sulfrian.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-09-28 11:04:02 -07:00
Gary V. Vaughan
66dbfd55e3 Rewrite dynamic structure initializations to runtime assignment
Unfortunately, there are still plenty of production systems with
vendor compilers that choke unless all compound declarations can be
determined statically at compile time, for example hpux10.20 (I can
provide a comprehensive list of our supported platforms that exhibit
this problem if necessary).

This patch simply breaks apart any compound declarations with dynamic
initialisation expressions, and moves the initialisation until after
the last declaration in the same block, in all the places necessary to
have the offending compilers accept the code.

Signed-off-by: Gary V. Vaughan <gary@thewrittenword.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-05-31 16:59:26 -07:00
Junio C Hamano
d718dd0732 Merge branch 'bc/maint-daemon-sans-ss-family'
* bc/maint-daemon-sans-ss-family:
  daemon.c: avoid accessing ss_family member of struct sockaddr_storage
2010-04-03 12:28:39 -07:00
Imre Deak
e9bd323510 daemon: parse_host_and_port SIGSEGV if port is specified
This typo will lead to git-daemon dying any time the connect
string includes a port after the host= attribute. This can lead
for example to one of the following error messages on the client
side when someone tries git clone git://...:<port>.

When the daemon is running on localhost:
  fatal: The remote end hung up unexpectedly

or when the daemon is connected through an ssh tunnel:
  fatal: protocol error: bad line length character: erro

In the latter case 'erro' comes from the daemon's reply:
  error: git-daemon died of signal 11

Signed-off-by: Imre Deak <imre.deak@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-03-20 08:49:31 -07:00
Brandon Casey
3aff874af2 daemon.c: avoid accessing ss_family member of struct sockaddr_storage
When NO_SOCKADDR_STORAGE is set for a platform, either sockaddr_in or
sockaddr_in6 is used intead.  Neither of which has an ss_family member.
They have an sin_family and sin6_family member respectively.  Since the
addrcmp() function accesses the ss_family member of a sockaddr_storage
struct, compilation fails on platforms which define NO_SOCKADDR_STORAGE.

Since any sockaddr_* structure can be cast to a struct sockaddr and
have its sa_family member read, do so here to workaround this issue.

Thanks to Martin Storsjö for pointing out the fix, and Gary Vaughan
for drawing attention to the issue.

Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-03-16 19:07:09 -07:00
Junio C Hamano
9517e6b843 Typofixes outside documentation area
begining -> beginning
    canonicalizations -> canonicalization
    comand -> command
    dewrapping -> unwrapping
    dirtyness -> dirtiness
    DISCLAMER -> DISCLAIMER
    explicitely -> explicitly
    feeded -> fed
    impiled -> implied
    madatory -> mandatory
    mimick -> mimic
    preceeding -> preceding
    reqeuest -> request
    substition -> substitution

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-02-03 21:28:17 -08:00
Junio C Hamano
68186857a9 Merge branch 'il/maint-colon-address'
* il/maint-colon-address:
  Allow use of []-wrapped addresses in git://
  Support addresses with ':' in git-daemon
2010-01-27 14:56:42 -08:00
Ilari Liusvaara
e8dbd76d57 Support addresses with ':' in git-daemon
If host address could have ':' in it (e.g. numeric IPv6 address), then
host and port could not be uniquely parsed. Fix this by parsing the
"["<host>"]":<port> and "["<host>"]" notations. Currently the built-in
git:// client would send <host>:<port> or <host> for such thing, but
it doesn't matter as due to bugs, resolving address fails if <host>
contains ':'.

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-26 10:52:52 -08:00
Junio C Hamano
0877510ad4 Merge branch 'jk/warn-author-committer-after-commit'
* jk/warn-author-committer-after-commit:
  user_ident_sufficiently_given(): refactor the logic to be usable from elsewhere
  commit.c::print_summary: do not release the format string too early
  commit: allow suppression of implicit identity advice
  commit: show interesting ident information in summary
  strbuf: add strbuf_addbuf_percentquote
  strbuf_expand: convert "%%" to "%"

Conflicts:
	builtin-commit.c
	ident.c
2010-01-20 14:40:12 -08:00
Jeff King
0a0416a34a strbuf_expand: convert "%%" to "%"
The only way to safely quote arbitrary text in a pretty-print user
format is to replace instances of "%" with "%x25". This is slightly
unreadable, and many users would expect "%%" to produce a single
"%", as that is what printf format specifiers do.

This patch converts "%%" to "%" for all users of strbuf_expand():

 (1) git-daemon interpolated paths

 (2) pretty-print user formats

 (3) merge driver command lines

Case (1) was already doing the conversion itself outside of
strbuf_expand(). Case (2) is the intended beneficiary of this patch.
Case (3) users probably won't notice, but as this is user-facing
behavior, consistently providing the quoting mechanism makes sense.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-14 09:24:42 -08:00
Erik Faye-Lund
15515b7371 daemon: consider only address in kill_some_child()
kill_some_child() compares the entire sockaddr_storage
structure (with the pad-bits zeroed out) when trying to
find out if connections originate from the same host.
However, sockaddr_storage contains the port-number for
the connection (which varies between connections), so
the comparison always fails.

Change the code so we only consider the host-address,
by introducing the addrcmp()-function that inspects
the address family and compare as appropriate.

Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2010-01-09 23:43:49 -08:00
Junio C Hamano
82f05d5dd7 Merge branch 'tc/format-attribute'
* tc/format-attribute:
  Check the format of more printf-type functions
2009-11-22 16:28:14 -08:00
Tarmigan Casebolt
28bea9e534 Check the format of more printf-type functions
We already have these checks in many printf-type functions that have
prototypes which are in header files.  Add these same checks to some
more prototypes in header functions and to static functions in .c
files.

cc: Miklos Vajna <vmiklos@frugalware.org>
Signed-off-by: Tarmigan Casebolt <tarmigan+git@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-11-15 18:24:58 -08:00
Shawn O. Pearce
34b6cb8bb0 http-backend: Protect GIT_PROJECT_ROOT from /../ requests
Eons ago HPA taught git-daemon how to protect itself from /../
attacks, which Junio brought back into service in d79374c7b5
("daemon.c and path.enter_repo(): revamp path validation").

I did not carry this into git-http-backend as originally we relied
only upon PATH_TRANSLATED, and assumed the HTTP server had done
its access control checks to validate the resolved path was within
a directory permitting access from the remote client.  This would
usually be sufficient to protect a server from requests for its
/etc/passwd file by http://host/smart/../etc/passwd sorts of URLs.

However in 917adc0360 Mark Lodato added GIT_PROJECT_ROOT as an
additional method of configuring the CGI.  When this environment
variable is used the web server does not generate the final access
path and therefore may blindly pass through "/../etc/passwd"
in PATH_INFO under the assumption that "/../" might have special
meaning to the invoked CGI.

Instead of permitting these sorts of malformed path requests, we
now reject them back at the client, with an error message for the
server log.  This matches git-daemon behavior.

Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-11-09 16:37:33 -08:00
Junio C Hamano
dd787c19c4 Merge branch 'tr/die_errno'
* tr/die_errno:
  Use die_errno() instead of die() when checking syscalls
  Convert existing die(..., strerror(errno)) to die_errno()
  die_errno(): double % in strerror() output just in case
  Introduce die_errno() that appends strerror(errno) to die()
2009-07-06 09:39:46 -07:00
Junio C Hamano
a4103bac37 Merge branch 'js/daemon-log'
* js/daemon-log:
  receive-pack: do not send error details to the client
  upload-pack: squelch progress indicator if client cannot see it
  daemon: send stderr of service programs to the syslog
2009-07-01 19:41:00 -07:00
Thomas Rast
d824cbba02 Convert existing die(..., strerror(errno)) to die_errno()
Change calls to die(..., strerror(errno)) to use the new die_errno().

In the process, also make slight style adjustments: at least state
_something_ about the function that failed (instead of just printing
the pathname), and put paths in single quotes.

Signed-off-by: Thomas Rast <trast@student.ethz.ch>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-27 11:14:53 -07:00
Linus Torvalds
2af202be3d Fix various sparse warnings in the git source code
There are a few remaining ones, but this fixes the trivial ones. It boils
down to two main issues that sparse complains about:

 - warning: Using plain integer as NULL pointer

   Sparse doesn't like you using '0' instead of 'NULL'. For various good
   reasons, not the least of which is just the visual confusion. A NULL
   pointer is not an integer, and that whole "0 works as NULL" is a
   historical accident and not very pretty.

   A few of these remain: zlib is a total mess, and Z_NULL is just a 0.
   I didn't touch those.

 - warning: symbol 'xyz' was not declared. Should it be static?

   Sparse wants to see declarations for any functions you export. A lack
   of a declaration tends to mean that you should either add one, or you
   should mark the function 'static' to show that it's in file scope.

   A few of these remain: I only did the ones that should obviously just
   be made static.

That 'wt_status_submodule_summary' one is debatable. It has a few related
flags (like 'wt_status_use_color') which _are_ declared, and are used by
builtin-commit.c. So maybe we'd like to export it at some point, but it's
not declared now, and not used outside of that file, so 'static' it is in
this patch.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-20 21:52:55 -07:00
Johannes Sixt
5d87dd4fca daemon: send stderr of service programs to the syslog
If git-daemon is run with --detach or --inetd, then stderr is explicitly
redirected to /dev/null. But notice that the service programs were spawned
via execl_git_cmd(), in particular, the stderr channel is inherited from
the daemon. This means that errors that the programs wrote to stderr (for
example, via die()), went to /dev/null.

This patch arranges that the daemon does not merely exec the service
program, but forks it and monitors stderr of the child; it writes the
errors that it produces to the daemons log via logerror().

A consequence is that the daemon process remains in memory for the full
duration of the service program, but this cannot be avoided.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-18 11:38:36 -07:00
Shawn O. Pearce
73bb33a94e daemon: Strictly parse the "extra arg" part of the command
Since 1.4.4.5 (49ba83fb67 "Add virtualization support to git-daemon")
git daemon enters an infinite loop and never terminates if a client
hides any extra arguments in the initial request line which is not
exactly "\0host=blah\0".

Since that change, a client must never insert additional extra
arguments, or attempt to use any argument other than "host=", as
any daemon will get stuck parsing the request line and will never
complete the request.

Since the client can't tell if the daemon is patched or not, it
is not possible to know if additional extra args might actually be
able to be safely requested.

If we ever need to extend the git daemon protocol to support a new
feature, we may have to do something like this to the exchange:

  # If both support git:// v2
  #
  C: 000cgit://v2
  S: 0010ok host user
  C: 0018host git.kernel.org
  C: 0027git-upload-pack /pub/linux-2.6.git
  S: ...git-upload-pack header...

  # If client supports git:// v2, server does not:
  #
  C: 000cgit://v2
  S: <EOF>

  C: 003bgit-upload-pack /pub/linux-2.6.git\0host=git.kernel.org\0
  S: ...git-upload-pack header...

This requires the client to create two TCP connections to talk to
an older git daemon, however all daemons since the introduction of
daemon.c will safely reject the unknown "git://v2" command request,
so the client can quite easily determine the server supports an
older protocol.

Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-06 13:27:52 -07:00
Benjamin Kramer
3e8a00ae1d daemon.c: fix segfault on OS X
On OS X (and maybe other unices), getaddrinfo(3) returns NULL
in the ai_canonname field if it's called with an IP address for
the hostname. We'll now use the IP address for the hostname if
ai_canonname was NULL, this also matches the behaviour on Linux.

steps to reproduce:
$ git daemon --export-all
$ git clone git://127.0.0.1/frotz
=> git daemon's fork (silently) segfaults.

Remove the pointless loop while at it. There is only one iteration
because of the break; on the last line and there are no continues.

Signed-off-by: Benjamin Kramer <benny.kra@googlemail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-04-29 16:50:21 -07:00
Jeff King
05ac6b34e2 improve missing repository error message
Certain remote commands, when asked to do something in a
particular directory that was not actually a git repository,
would say "unable to chdir or not a git archive". The
"chdir" bit is an unnecessary detail, and the term "git
archive" is much less common these days than "git repository".

So let's switch them all to:

  fatal: '%s' does not appear to be a git repository

Signed-off-by: Jeff King <peff@peff.net>
Acked-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-03-04 20:37:21 -08:00
Steffen Prohaska
2fb3f6db96 Add calls to git_extract_argv0_path() in programs that call git_config_*
Programs that use git_config need to find the global configuration.
When runtime prefix computation is enabled, this requires that
git_extract_argv0_path() is called early in the program's main().

This commit adds the necessary calls.

Signed-off-by: Steffen Prohaska <prohaska@zib.de>
Acked-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-01-26 00:26:05 -08:00
Alexander Potashev
d75307084d remove trailing LF in die() messages
LF at the end of format strings given to die() is redundant because
die already adds one on its own.

Signed-off-by: Alexander Potashev <aspotashev@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-01-05 13:01:01 -08:00
René Scharfe
6720e95b30 daemon: cleanup: factor out xstrdup_tolower()
Add xstrdup_tolower(), a helper to get a lower case copy of a
string, and use it in two cases.

Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-12-26 19:09:56 -08:00
René Scharfe
a583971f15 daemon: cleanup: replace loop with if
Replace a loop around an enter_repo() call, which was used to retry
a single time with a different parameter in case the first call fails,
with two calls and an if.  This is shorter and cleaner.

Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-12-26 19:08:32 -08:00
René Scharfe
c569b1fee1 daemon: handle freopen() failure
Die if stderr couldn't be sent to /dev/null when operating in inetd
mode and report the error message from the OS.

This fixes a compiler warning about the return value of freopen()
being ignored on Ubuntu 8.10.

Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-12-26 19:07:56 -08:00
René Scharfe
a47551c382 daemon: deglobalize variable 'directory'
Remove the global variable 'directory' and pass it as a parameter of
the two functions that use it instead, (almost) restoring their
interface to how it was before 49ba83fb67.

Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-23 19:56:36 -08:00
René Scharfe
d433ed0bb4 daemon: inline fill_in_extra_table_entries()
Having fill_in_extra_table_entries() as a separate function has no
advantage -- a function with no parameters and return values might as
well be an anonymous block of code.  Its name still refers to the table
of interpolate() which has been removed earlier, so it's better to
inline it at its only call site.

Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-23 19:56:26 -08:00
René Scharfe
9d7ca66746 daemon: use strbuf_expand() instead of interpolate()
Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-23 19:56:06 -08:00
Joey Hess
53ffb878a9 git-daemon: set REMOTE_ADDR to client address
This allows hooks like pre-receive to look at the client's IP
address.

Of course the IP address can't be used to get strong security;
git-daemon isn't the right thing to use if you need that. However,
basic IP address checking can be good enough in some situations.

REMOTE_ADDR is the same environment variable used to communicate the
client's address to CGI scripts.

Signed-off-by: Joey Hess <joey@kitenet.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-24 16:34:01 -07:00
Shawn O. Pearce
1ad6d46235 Merge branch 'jc/alternate-push'
* jc/alternate-push:
  push: receiver end advertises refs from alternate repositories
  push: prepare sender to receive extended ref information from the receiver
  receive-pack: make it a builtin
  is_directory(): a generic helper function
2008-09-25 09:39:24 -07:00
Junio C Hamano
90b4a71c49 is_directory(): a generic helper function
A simple "grep -e stat --and -e S_ISDIR" revealed there are many
open-coded implementations of this function.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-09-09 09:27:45 -07:00
Junio C Hamano
48196afd28 daemon.c: avoid setlinebuf()
This function is outside POSIX (Linux and recent BSD have it).  Replace it
with setvbuf() which is POSIX.

I am not sure about the value this patch passes as size argument to
setvbuf(), though.  I know the call this patch makes is equivalent to
calling setlinebuf() with GNU libc, but POSIX itself leaves what happens
to the size argument quite vague, saying only "otherwise [i.e. when buf is
a null pointer], size _may_ determine the size of a buffer allocated by
the setvbuf() function."  If passing size=0 causes stdio to allocate very
small buffer, and while stdio tries to line buffer the output, it might
make it to fail to buffer an entire line, causing early flushing of the
stream.

Even if that turns out to be a problem on minorority platforms, we won't
know it until the issue actually hurts them, so let's push this change out
and see what happens.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-09-06 20:23:32 -07:00
David Soria Parra
85e7283069 cast pid_t's to uintmax_t to improve portability
Some systems (like e.g. OpenSolaris) define pid_t as long,
therefore all our sprintf that use %i/%d cause a compiler warning
beacuse of the implicit long->int cast. To make sure that
we fit the limits, we display pids as PRIuMAX and cast them explicitly
to uintmax_t.

Signed-off-by: David Soria Parra <dsp@php.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-31 16:56:22 -07:00
Junio C Hamano
460c201039 daemon.c: minor style fixup
* "else" on the same line as "}" that closes corresponding "if (...) {";

 * multi-line comments begin with "/*\n";

 * sizeof, even it is not a function, is written as "sizeof(...)";

 * no need to check x?alloc() return value -- it would have died;

 * "if (...) { ... }" that covers the whole function body can be dedented
   by returning from the function early with "if (!...) return;";

 * SP on each side of an operator, i.e. "a > 0", not "a>0";

Also removes stale comment describing how remove_child() used to do its
thing.

Signed-off-by: Junio C Hamano <gitster@pobox.com>:

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-25 22:49:49 -07:00
Stephen R. van den Berg
3bd62c2176 git-daemon: rewrite kindergarden, new option --max-connections
Get rid of the fixed array of children and make max-connections
dynamic and configurable.
Fix the killing code to actually kill the newest connections from
duplicate IP-addresses.
Avoid forking if too busy already.

Signed-off-by: Stephen R. van den Berg <srb@cuci.nl>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17 17:43:53 -07:00
Stephen R. van den Berg
695605b508 git-daemon: Simplify dead-children reaping logic
Move almost all code out of the child_handler() into check_dead_children().
The fact that systemcalls get interrupted by signals allows us to
make the SIGCHLD signal handler almost a no-op by simply running
check_dead_children() right before waiting on poll().

In case some systems do not interrupt systemcalls upon signal receipt,
all zombies will eventually be collected before the next poll() cycle.

Signed-off-by: Stephen R. van den Berg <srb@cuci.nl>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17 17:43:53 -07:00
Stephen R. van den Berg
6a992e9e1d git-daemon: use LOG_PID, simplify logging code
Make git-daemon use LOG_PID like most daemons, instead of prepending the
pid to the message ourselves, when using syslog(3).

Simplify the logging code by setting stderr to line buffered, instead of
building a single string and writing it out with a single write(2).

Give an extra log message at the daemon start-up.

Signed-off-by: Stephen R. van den Berg <srb@cuci.nl>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17 17:43:53 -07:00
Stephen R. van den Berg
df0daf8ac0 git-daemon: call logerror() instead of error()
Use logerror(), not error(), so that the messages won't be lost,
especially when running the daemon with its log sent to the syslog
facility.

Signed-off-by: Stephen R. van den Berg <srb@cuci.nl>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17 17:43:53 -07:00
Stephen R. van den Berg
bd7b371e9c git-daemon: SysV needs the signal handler reinstated.
Fixes the bug on (amongst others) Solaris that only the first
child ever is reaped.

Signed-off-by: Stephen R. van den Berg <srb@cuci.nl>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-12 15:41:08 -07:00
Johannes Schindelin
f9bbefc701 git daemon: avoid waking up too often
To avoid waking up unnecessarily, a pipe is set up that is only ever
written to by child_handler(), when a child disconnects, as suggested
per Junio.

This avoids waking up the main process every second to see if a child
was disconnected.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-07-23 16:57:14 -07:00
Stephan Beyer
1b1dd23f2d Make usage strings dash-less
When you misuse a git command, you are shown the usage string.
But this is currently shown in the dashed form.  So if you just
copy what you see, it will not work, when the dashed form
is no longer supported.

This patch makes git commands show the dash-less version.

For shell scripts that do not specify OPTIONS_SPEC, git-sh-setup.sh
generates a dash-less usage string now.

Signed-off-by: Stephan Beyer <s-beyer@gmx.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-07-13 14:12:48 -07:00
Johannes Schindelin
a5a9126bb4 git daemon: avoid calling syslog() from a signal handler
Signal handlers should never call syslog(), as that can raise signals
of its own.

Instead, call the syslog() from the master process.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-07-06 19:10:31 -07:00
Johannes Schindelin
ef90d6d420 Provide git_config with a callback-data parameter
git_config() only had a function parameter, but no callback data
parameter.  This assumes that all callback functions only modify
global variables.

With this patch, every callback gets a void * parameter, and it is hoped
that this will help the libification effort.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-05-14 12:34:44 -07:00
Johannes Sixt
2063207156 daemon: ensure that base-path is an existing directory
Any request to the daemon would fail if base-path (if specified) is not
a directory. We now check for this condition early.

Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-02-27 14:47:36 -08:00
Johannes Sixt
22665bbaab daemon: send more error messages to the syslog
There were a number of die() calls before the syslog was opened; hence,
these error messages would have been sent to /dev/null in detached mode.
Now we install the daemon-specific die routine before any error message is
generated so that these messages go to the syslog.

Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-02-27 14:47:36 -08:00
Junio C Hamano
f3fa183802 Style: place opening brace of a function definition at column 1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-11-08 15:35:32 -08:00
Gerrit Pape
c67359be45 git-daemon: fix remote port number in log entry
The port number in struct sockaddr_in needs to be converted from network
byte order to host byte order (on some architectures).

Signed-off-by: Gerrit Pape <pape@smarden.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-11-05 18:39:18 -08:00
Patrick Welche
415e7b877c Define NI_MAXSERV if not defined by operating system
I found I needed NI_MAXSERV as it is defined in netdb.h, which is
not included by daemon.c.  Rather than including the whole header
we can define a reasonable fallback value.

Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
2007-10-18 21:04:44 -04:00
Jens Axboe
73a7a65663 --base-path-relaxed option
I switched git.kernel.dk to --base-path a few minutes ago, to get rid of
a /data/git postfix in the posted urls. But transitioning is tricky,
since now all old paths will fail miserably.

So I added this --base-path-relaxed option, that will make git-daemon
try the absolute path without prefixing --base-path before giving up.
With this in place and --base-path-relaxed added, both my new url of

    git://git.kernel.dk/linux-2.6-block.git

and the old

    git://git.kernel.dk/data/git/linux-2.6-block.git

work fine.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-08-01 00:37:23 -07:00
Pierre Habouzit
52fae7de4e Missing statics.
Signed-off-by: Pierre Habouzit <madcoder@debian.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-06-08 02:37:19 -07:00
Junio C Hamano
a6080a0a44 War on whitespace
This uses "git-apply --whitespace=strip" to fix whitespace errors that have
crept in to our source files over time.  There are a few files that need
to have trailing whitespaces (most notably, test vectors).  The results
still passes the test, and build result in Documentation/ area is unchanged.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-06-07 00:04:01 -07:00
Jim Meyering
bc4e7d0358 git-daemon: don't ignore pid-file write failure
Note: since the consequence of failure is to call die,
I don't bother to close "f".

Signed-off-by: Jim Meyering <jim@meyering.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-05-21 18:34:14 -07:00
Junio C Hamano
599065a3bb prefixcmp(): fix-up mechanical conversion.
Previous step converted use of strncmp() with literal string
mechanically even when the result is only used as a boolean:

    if (!strncmp("foo", arg, 3)) ==> if (!(-prefixcmp(arg, "foo")))

This step manually cleans them up to read:

    if (!prefixcmp(arg, "foo"))

Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-20 22:03:15 -08:00
Junio C Hamano
cc44c7655f Mechanical conversion to use prefixcmp()
This mechanically converts strncmp() to use prefixcmp(), but only when
the parameters match specific patterns, so that they can be verified
easily.  Leftover from this will be fixed in a separate step, including
idiotic conversions like

    if (!strncmp("foo", arg, 3))

  =>

    if (!(-prefixcmp(arg, "foo")))

This was done by using this script in px.perl

   #!/usr/bin/perl -i.bak -p
   if (/strncmp\(([^,]+), "([^\\"]*)", (\d+)\)/ && (length($2) == $3)) {
           s|strncmp\(([^,]+), "([^\\"]*)", (\d+)\)|prefixcmp($1, "$2")|;
   }
   if (/strncmp\("([^\\"]*)", ([^,]+), (\d+)\)/ && (length($1) == $3)) {
           s|strncmp\("([^\\"]*)", ([^,]+), (\d+)\)|(-prefixcmp($2, "$1"))|;
   }

and running:

   $ git grep -l strncmp -- '*.c' | xargs perl px.perl

Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-20 22:03:15 -08:00
Alexandre Julliard
20276889d6 git-daemon: Avoid leaking the listening sockets into child processes.
This makes it possible to restart git-daemon even if some children are
still running.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-14 10:25:41 -08:00
Pavel Roskin
3dff5379bf Assorted typo fixes
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-03 21:49:54 -08:00
Linus Torvalds
4b3b1e1e48 git-push through git protocol
This allows pushing over the git:// protocol, and while it's not
authenticated, it could make sense from within a firewalled
setup where nobody but trusted internal people can reach the git
port.  git-daemon is possibly easier and faster to set up in the
kind of situation where you set up git instead of CVS inside a
company.

"git-receive-pack" is disabled by default, so you need to enable it
explicitly by starting git-daemon with the "--enable=receive-pack"
command line argument, or by having your config enable it automatically.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-28 12:31:56 -08:00
Andy Whitcroft
93822c2239 short i/o: fix calls to write to use xwrite or write_in_full
We have a number of badly checked write() calls.  Often we are
expecting write() to write exactly the size we requested or fail,
this fails to handle interrupts or short writes.  Switch to using
the new write_in_full().  Otherwise we at a minimum need to check
for EINTR and EAGAIN, where this is appropriate use xwrite().

Note, the changes to config handling are much larger and handled
in the next patch in the sequence.

Signed-off-by: Andy Whitcroft <apw@shadowen.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-08 15:44:47 -08:00
Junio C Hamano
85023577a8 simplify inclusion of system header files.
This is a mechanical clean-up of the way *.c files include
system header files.

 (1) sources under compat/, platform sha-1 implementations, and
     xdelta code are exempt from the following rules;

 (2) the first #include must be "git-compat-util.h" or one of
     our own header file that includes it first (e.g. config.h,
     builtin.h, pkt-line.h);

 (3) system headers that are included in "git-compat-util.h"
     need not be included in individual C source files.

 (4) "git-compat-util.h" does not have to include subsystem
     specific header files (e.g. expat.h).

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-12-20 09:51:35 -08:00
Junio C Hamano
83543a24c3 daemon: do not die on older clients.
In the older times, the clients did not say which host they were trying
to connect, and the code we recently added did not quite handle the
older clients correctly.

Noticed by Simon Arlott.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-10-23 18:26:05 -07:00
Alex Riesen
100690b6e8 fix daemon.c compilation for NO_IPV6=1
Signed-off-by: Alex Riesen <raa.lkml@gmail.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-28 18:22:37 -07:00
Johannes Schindelin
695dffe2ef daemon: default to 256 for HOST_NAME_MAX if it is not defined
Signed-off-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-28 09:14:09 -07:00
Jon Loeliger
eb30aed7c6 Removed memory leaks from interpolation table uses.
Clarified that parse_extra_args()s results in interpolation
table entries.  Removed a few trailing whitespace occurrences.

Signed-off-by: Jon Loeliger <jdl@jdl.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-27 18:00:53 -07:00
Jon Loeliger
dd4676299d Cleaned up git-daemon virtual hosting support.
Standardized on lowercase hostnames from client.

Added interpolation values for the IP address, port and
canonical hostname of the server as it is contacted and
named by the client and passed in via the extended args.

Added --listen=host_or_ipaddr option suport.  Renamed port
variable as "listen_port" correspondingly as well.

Documented mutual exclusivity of --inetd option with
    --user, --group, --listen and --port options.

Added compat/inet_pton.c from Paul Vixie as needed.

Small memory leaks need to be cleaned up still.

Signed-off-by: Jon Loeliger <jdl@jdl.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-27 18:00:52 -07:00
Jon Loeliger
49ba83fb67 Add virtualization support to git-daemon
Signed-off-by: Jon Loeliger
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-20 11:15:39 -07:00
Franck Bui-Huu
39345a216f Add git-upload-archive
This command implements the git archive protocol on the server
side. This command is not intended to be used by the end user.
Underlying git-archive command line options are sent over the
protocol from "git-archive --remote=...", just like upload-tar
currently does with "git-tar-tree=...".

As for "git-archive" command implementation, this new command
does not execute any existing "git-{tar,zip}-tree" but rely
on the archive API defined by "git-archive" patch. Hence we
get 2 good points:

 - "git-archive" and "git-upload-archive" share all option
   parsing code.

 - All kind of git-upload-{tar,zip} can be deprecated.

Signed-off-by: Franck Bui-Huu <vagabon.xyz@gmail.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-09 11:57:37 -07:00
Junio C Hamano
d9edcbd606 Revert "daemon: add upload-tar service."
This reverts parts of commit 74c0cc2 and part of commit 355f541.

Franck and Rene are working on a unified upload-archive which
would supersede this when done, so better not to get in their
way.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-07 02:36:31 -07:00
Junio C Hamano
74c0cc21a5 daemon: add upload-tar service.
This allows clients to ask for tarballs with:

	git tar-tree --remote=git://server/repo refname

By default, the upload-tar service is not enabled.  To enable
it server-wide, the server can be started with:

	git-daemon --enable=upload-tar

This service is by default overridable per repostiory, so
alternatively, a repository can define "daemon.uploadtar = true"
to enable it.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-27 23:32:37 -07:00
Junio C Hamano
d819e4e682 daemon: prepare for multiple services.
This adds an infrastructure to selectively enable and disable
more than one services in git-daemon.  Currently upload-pack
service, which serves the git-fetch-pack and git-peek-remote
clients, is the only service that is defined.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-27 23:32:36 -07:00
Junio C Hamano
d5d0a0e748 Merge branch 'ts/daemon'
* ts/daemon:
  Added support for dropping privileges to git-daemon.
2006-08-27 17:51:42 -07:00
Jonas Fonseca
83572c1a91 Use xrealloc instead of realloc
Change places that use realloc, without a proper error path, to instead use
xrealloc. Drop an erroneous error path in the daemon code that used errno
in the die message in favour of the simpler xrealloc.

Signed-off-by: Jonas Fonseca <fonseca@diku.dk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-26 17:54:06 -07:00
Tilman Sauerbeck
678dac6b45 Added support for dropping privileges to git-daemon.
Signed-off-by: Tilman Sauerbeck <tilman@code-monkey.de>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-22 16:40:40 -07:00
David Rientjes
96f1e58f52 remove unnecessary initializations
[jc: I needed to hand merge the changes to the updated codebase,
 so the result needs to be checked.]

Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-15 21:22:20 -07:00
Matthias Lederhofer
6c35119ac7 daemon: documentation for --reuseaddr, --detach and --pid-file
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-27 13:55:31 -07:00
Matthias Lederhofer
a5262768e1 daemon: new option --detach to run git-daemon in background
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:46 -07:00
Matthias Lederhofer
45ed5d7f4c daemon: new option --pid-file=<path> to store the pid
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:41 -07:00
Matthias Lederhofer
258e93a155 daemon: if one of the standard fds is missing open it to /dev/null
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:20 -07:00
Matthias Lederhofer
ad8b4f56b5 daemon: use a custom die routine with syslog
Removed the git-daemon prefix from die() because no other call to die
does this.

Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:14 -07:00
Timo Hirvonen
554fe20d80 Make some strings const
Signed-off-by: Timo Hirvonen <tihirvon@gmail.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-28 03:24:37 -07:00
Junio C Hamano
78831b40d6 Merge branch 'jc/upload-corrupt' into next
* jc/upload-corrupt:
  daemon: send stderr to /dev/null instead of closing.
2006-06-21 16:38:11 -07:00
Junio C Hamano
ba0012c367 daemon: send stderr to /dev/null instead of closing.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-21 16:37:48 -07:00
Junio C Hamano
ad9f72a704 Merge branch 'master' into next
* master:
  checkout -f: do not leave untracked working tree files.
  Log peer address when git-daemon called from inetd
2006-06-21 01:24:45 -07:00
David Woodhouse
5b276ee4fb Log peer address when git-daemon called from inetd
When we run git-daemon from inetd, even with the --verbose option, it
doesn't log the peer address. That logic was only in the standalone
daemon code -- move it to the execute() function instead. Tested with
both IPv6 and Legacy IP clients, in both inetd and daemon mode.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Acked-by: Jon Loeliger <jdl@jdl.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-20 22:19:29 -07:00
Junio C Hamano
f0b7367cb1 Restore SIGCHLD to SIG_DFL where we care about waitpid().
It was reported that under one implementation of socks client
"git clone" fails with "error: waitpid failed (No child processes)",
because "git" is spawned after setting SIGCHLD to SIG_IGN.

Arguably it may be a broken setting, but we should protect
ourselves so that we can get reliable results from waitpid() for
the children we care about.

This patch resets SIGCHLD to SIG_DFL in three places:

 - connect.c::git_connect() - initiators of git native
   protocol transfer are covered with this.

 - daemon.c::main() - obviously.

 - merge-index.c::main() - obviously.

There are other programs that do fork() but do not waitpid():
http-push, imap-send.  upload-pack does not either, but in the
case of that program, each of the forked halves runs exec()
another program, so this change would not have much effect
there.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-19 18:44:58 -07:00
Jon Loeliger
5ad312bede Refactor git_tcp_connect() functions a little.
Add client side sending of "\0host=%s\0" extended
arg for git native protocol, backwards compatibly.

Signed-off-by: Jon Loeliger <jdl@jdl.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-06 21:44:39 -07:00
Serge E. Hallyn
0032d548db socksetup: don't return on set_reuse_addr() error
The set_reuse_addr() error case was the only error case in
socklist() where we returned rather than continued.  Not sure
why.  Either we must free the socklist, or continue.  This patch
continues on error.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-04-18 14:39:28 -07:00
Junio C Hamano
603968d22b daemon: extend user-relative path notation.
Earlier, we made --base-path to automatically forbid
user-relative paths, which was probably a mistake.  This
introduces --user-path (or --user-path=path) option to control
the use of user-relative paths independently.  The latter form
of the option can be used to restrict accesses to a part of each
user's home directory, similar to "public_html" some webservers
supports.

If we're invoked with --user-path=FOO option, then a URL of the
form git://~USER/PATH/... resolves to the path HOME/FOO/PATH/...,
where HOME is USER's home directory.

[jc: This is much reworked by me so bugs are mine, but the
 original patch was done by Mark Wooding.]

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-05 16:51:01 -08:00
Mark Wooding
1955fabf41 daemon: Set SO_REUSEADDR on listening sockets.
Without this, you can silently lose the ability to receive IPv4
connections if you stop and restart the daemon.

[jc: tweaked code organization a bit and made this controllable
 from a command line option.]

Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-05 16:51:01 -08:00
Junio C Hamano
363f24c936 daemon: do not forbid user relative paths unconditionally under --base-path
Using base-path to relocate the server public space does not
have anything to do with allowing or forbidding user relative
paths.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-05 16:51:01 -08:00
Mark Wooding
1fda3d557b daemon: Provide missing argument for logerror() call.
Could cause a crash if --base-path set.  Unlikely to be a security the
concern: message doesn't go to the client, so we can't leak anything
(except by dumping core), and we've already forked, so it's not a denial
of service.

Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-03 23:33:20 -08:00
Michal Ostrowski
77cb17e940 Exec git programs without using PATH.
The git suite may not be in PATH (and thus programs such as
git-send-pack could not exec git-rev-list).  Thus there is a need for
logic that will locate these programs.  Modifying PATH is not
desirable as it result in behavior differing from the user's
intentions, as we may end up prepending "/usr/bin" to PATH.

- git C programs will use exec*_git_cmd() APIs to exec sub-commands.
- exec*_git_cmd() will execute a git program by searching for it in
  the following directories:
	1. --exec-path (as used by "git")
	2. The GIT_EXEC_PATH environment variable.
	3. $(gitexecdir) as set in Makefile (default value $(bindir)).
- git wrapper will modify PATH as before to enable shell scripts to
  invoke "git-foo" commands.

Ideally, shell scripts should use the git wrapper to become independent
of PATH, and then modifying PATH will not be necessary.

[jc: with minor updates after a brief review.]

Signed-off-by: Michal Ostrowski <mostrows@watson.ibm.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-01-13 16:49:01 -08:00
Petr Baudis
b21c31c9a5 git-daemon --base-path
Tommi Virtanen expressed a wish on #git to be able to use short and elegant
git URLs by making git-daemon 'root' in a given directory. This patch
implements this, causing git-daemon to interpret all paths relative to
the given base path if any is given.

Signed-off-by: Petr Baudis <pasky@suse.cz>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-01-07 21:43:02 -08:00
Junio C Hamano
d79374c7b5 [PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).

Unfortunately, it did not go well as we hoped.

For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons.  Being able to keep using
/pub/scm as the whitelist is a desirable property.

So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name.  When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).

What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob".  And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc.  The whole point of this is to avoid
unnecessary aliasing issues.

Anyway, because of this, daemon needs to do a bit more work to
guard itself.  Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end.  I resurrected the
belts and suspender paranoia code HPA did for this purpose.

This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 23:17:42 -08:00
Paul Serice
f35230fb11 git-daemon not listening when compiled with -DNO_IPV6
git-daemon was not listening when compiled with -DNO_IPV6.
socksetup() was not returning socket count when compiled with -DNO_IPV6.

Signed-off-by: Paul Serice <paul@serice.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-21 14:36:43 -08:00
Junio C Hamano
ce335fe04f daemon: further tweaks.
- Do validation only on canonicalized paths
 - Run upload-pack with "." as repository argument

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-21 13:47:00 -08:00
Andreas Ericsson
4dbd135279 git-daemon support for user-relative paths.
Dropped a fair amount of reundant code in favour of the library code
in path.c

Added option --strict-paths with documentation, with backwards
compatibility for whitelist entries with symlinks.

Everything that worked earlier still works insofar as I have
remembered testing it.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-21 13:47:00 -08:00
Andreas Ericsson
a8883288fa daemon.c: fix arg parsing bugs
Allow --init-timeout and --timeout to be specified without falling
through to usage().

Make sure openlog() is called even if implied by --inetd, or messages
will be sent to wherever LOG_USER ends up.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-16 20:34:26 -08:00
Andreas Ericsson
bce8230d5d git-daemon: --inetd implies --syslog
Otherwise nothing is logged anywhere, which is a Bad Thing.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-15 00:19:32 -08:00
Randal L. Schwartz
979e32fa14 fix daemon.c to compile on OpenBSD
I can confirm that the following patch lets the current origin
compile on OpenBSD.  If you could apply this until you sort out the
rest of the namespace issue, I would be happy.  Thanks.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-25 17:37:59 -07:00
Junio C Hamano
4ae22d96fe Merge branch 'fixes' 2005-10-20 23:21:50 -07:00
Junio C Hamano
a935c39727 daemon.c: remove trailing whitespace.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-20 23:19:36 -07:00
H. Peter Anvin
54e31a205c Fix git-daemon argument-parsing bug
Fix stupid bug in parsing the --init-timeout option.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-20 22:46:03 -07:00
Jens Axboe
7872e05567 git-daemon poll() spinning out of control
With the '0' timeout given to poll, it returns instantly without any
events on my system, causing git-daemon to consume all the CPU time. Use
-1 as the timeout so poll() only returns in case of EINTR or actually
events being available.

Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-20 21:26:31 -07:00
H. Peter Anvin
960deccb26 git-daemon: timeout, eliminate double DWIM
It turns out that not only did git-daemon do DWIM, but git-upload-pack
does as well.  This is bad; security checks have to be performed *after*
canonicalization, not before.

Additionally, the current git-daemon can be trivially DoSed by spewing
SYNs at the target port.

This patch adds a --strict option to git-upload-pack to disable all
DWIM, a --timeout option to git-daemon and git-upload-pack, and an
--init-timeout option to git-daemon (which is typically set to a much
lower value, since the initial request should come immediately from the
client.)

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-19 14:27:01 -07:00
H. Peter Anvin
3e04c62daa revised^2: git-daemon extra paranoia, and path DWIM
This patch adds some extra paranoia to the git-daemon filename test.  In
particular, it now rejects pathnames containing //; it also adds a
redundant test for pathname absoluteness (belts and suspenders.)

A single / at the end of the path is still permitted, however, and the
.git and /.git append DWIM stuff is now handled in an integrated manner,
which means the resulting path will always be subjected to pathname checks.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-18 18:26:52 -07:00
Linus Torvalds
230f13225d Create object subdirectories on demand
This makes it possible to have a "sparse" git object subdirectory
structure, something that has become much more attractive now that people
use pack-files all the time.

As a result of pack-files, a git object directory doesn't necessarily have
any individual objects lying around, and in that case it's just wasting
space to keep the empty first-level object directories around: on many
filesystems the 256 empty directories will be aboue 1MB of diskspace.

Even more importantly, after you re-pack a project that _used_ to be
unpacked, you could be left with huge directories that no longer contain
anything, but that waste space and take time to look through.

With this change, "git prune-packed" can just do an rmdir() on the
directories, and they'll get removed if empty, and re-created on demand.

This patch also tries to fix up "write_sha1_from_fd()" to use the new
common infrastructure for creating the object files, closing a hole where
we might otherwise leave half-written objects in the object database.

[jc: I unoptimized the part that really removes the fan-out directories
 to ease transition.  init-db still wastes 1MB of diskspace to hold 256
 empty fan-outs, and prune-packed rmdir()'s the grown but empty directories,
 but runs mkdir() immediately after that -- reducing the saving from 150KB
 to 146KB.  These parts will be re-introduced when everybody has the
 on-demand capability.]

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-08 15:54:01 -07:00
H. Peter Anvin
9220282a9c Move signal setting into service_loop() 2005-09-30 11:01:57 -07:00
H. Peter Anvin
7626e49e9f socklen_t is unsigned int on most Linux platforms 2005-09-30 10:48:21 -07:00
H. Peter Anvin
1b4713fb9e Use xmalloc/xcalloc 2005-09-30 10:47:50 -07:00
H. Peter Anvin
d6b89e7bf8 Don't need <alloca.h> 2005-09-30 10:46:42 -07:00
H. Peter Anvin
300b4801b7 Merge with master.kernel.org:/pub/scm/git/git.git 2005-09-30 10:44:21 -07:00