ref: 882bbb257682215300e7eb10dca1a4e38c7e9f11
parent: 3e15556a23f5138a64d88bf84d069d21540e9e2d
author: Ori Bernstein <ori@eigenstate.org>
date: Sun Sep 6 13:18:34 EDT 2020
git/serve: check that we're within the prefix Don't let people escape git9 paths with '..' tricks.
--- a/serve.c
+++ b/serve.c
@@ -1,6 +1,5 @@
#include <u.h>
#include <libc.h>
-#include <pool.h>
#include <ctype.h>
#include "git.h"
@@ -450,6 +449,9 @@
p = parsecmd(buf, cmd, sizeof(cmd));
if(snprint(path, sizeof(path), "%s/%s", pathpfx, p) == sizeof(path))
sysfatal("%s: path too long\n", p);+ cleanname(path);
+ if(strncmp(path, pathpfx) != 0)
+ sysfatal("%s: path escapes prefix");if(chdir(path) == -1)
sysfatal("cd %s: %r", p); if(access(".git", AREAD) == -1)