From 960deccb26a5bee6c6cd63d50e8272f540a27b19 Mon Sep 17 00:00:00 2001
From: "H. Peter Anvin" <hpa@zytor.com>
Date: Wed, 19 Oct 2005 14:27:01 -0700
Subject: git-daemon: timeout, eliminate double DWIM

It turns out that not only did git-daemon do DWIM, but git-upload-pack
does as well.  This is bad; security checks have to be performed *after*
canonicalization, not before.

Additionally, the current git-daemon can be trivially DoSed by spewing
SYNs at the target port.

This patch adds a --strict option to git-upload-pack to disable all
DWIM, a --timeout option to git-daemon and git-upload-pack, and an
--init-timeout option to git-daemon (which is typically set to a much
lower value, since the initial request should come immediately from the
client.)

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
---
 daemon.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

(limited to 'daemon.c')

diff --git a/daemon.c b/daemon.c
index 9ea6c31cd1..c3381b344c 100644
--- a/daemon.c
+++ b/daemon.c
@@ -13,7 +13,9 @@
 static int log_syslog;
 static int verbose;
 
-static const char daemon_usage[] = "git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all] [directory...]";
+static const char daemon_usage[] =
+"git-daemon [--verbose] [--syslog] [--inetd | --port=n] [--export-all]\n"
+"           [--timeout=n] [--init-timeout=n] [directory...]";
 
 /* List of acceptable pathname prefixes */
 static char **ok_paths = NULL;
@@ -21,6 +23,9 @@ static char **ok_paths = NULL;
 /* If this is set, git-daemon-export-ok is not required */
 static int export_all_trees = 0;
 
+/* Timeout, and initial timeout */
+static unsigned int timeout = 0;
+static unsigned int init_timeout = 0;
 
 static void logreport(int priority, const char *err, va_list params)
 {
@@ -170,6 +175,8 @@ static int upload(char *dir)
 	/* Enough for the longest path above including final null */
 	int buflen = strlen(dir)+10;
 	char *dirbuf = xmalloc(buflen);
+	/* Timeout as string */
+	char timeout_buf[64];
 
 	loginfo("Request for '%s'", dir);
 
@@ -190,8 +197,10 @@ static int upload(char *dir)
 	 */
 	signal(SIGTERM, SIG_IGN);
 
+	snprintf(timeout_buf, sizeof timeout_buf, "--timeout=%u", timeout);
+
 	/* git-upload-pack only ever reads stuff, so this is safe */
-	execlp("git-upload-pack", "git-upload-pack", ".", NULL);
+	execlp("git-upload-pack", "git-upload-pack", "--strict", timeout_buf, ".", NULL);
 	return -1;
 }
 
@@ -200,7 +209,9 @@ static int execute(void)
 	static char line[1000];
 	int len;
 
+	alarm(init_timeout ? init_timeout : timeout);
 	len = packet_read_line(0, line, sizeof(line));
+	alarm(0);
 
 	if (len && line[len-1] == '\n')
 		line[--len] = 0;
@@ -598,6 +609,12 @@ int main(int argc, char **argv)
 			export_all_trees = 1;
 			continue;
 		}
+		if (!strncmp(arg, "--timeout=", 10)) {
+			timeout = atoi(arg+10);
+		}
+		if (!strncmp(arg, "--init-timeout=", 10)) {
+			init_timeout = atoi(arg+15);
+		}
 		if (!strcmp(arg, "--")) {
 			ok_paths = &argv[i+1];
 			break;
-- 
cgit v1.2.3