merging upstream 1.2.1cgit-70_v0.1.2.1

author: KatolaZ <katolaz@freaknet.org> 2018-08-06 12:23:51 +0100
committer: KatolaZ <katolaz@freaknet.org> 2018-08-06 12:23:51 +0100
commit: 7fd094820d26cade130638a57847f20acb4ebe62 (patch)
tree: bdc3a6b8a6a53c0696aa7bc99bcb920132b5a1ce /ui-clone.c
parent: 3f675fb1c087228111bf76b9d4ac7ef0ba18d153 (diff)
parent: fcc9b201ea499a424b3bda8c504c7beb7e0ec0bd (diff)
1 files changed, 19 insertions, 4 deletions
diff --git a/ui-clone.c b/ui-clone.c
index 2c1ac3d..6ba8f36 100644
--- a/ui-clone.c
+++ b/ui-clone.c
@@ -92,17 +92,32 @@ void cgit_clone_info(void)
 
 void cgit_clone_objects(void)
 {
-	if (!ctx.qry.path) {
-		cgit_print_error_page(400, "Bad request", "Bad request");
-		return;
-	}
+	char *p;
+
+	if (!ctx.qry.path)
+		goto err;
 
 	if (!strcmp(ctx.qry.path, "info/packs")) {
 		print_pack_info();
 		return;
 	}
 
+	/* Avoid directory traversal by forbidding "..", but also work around
+	 * other funny business by just specifying a fairly strict format. For
+	 * example, now we don't have to stress out about the Cygwin port.
+	 */
+	for (p = ctx.qry.path; *p; ++p) {
+		if (*p == '.' && *(p + 1) == '.')
+			goto err;
+		if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
+			goto err;
+	}
+
 	send_file(git_path("objects/%s", ctx.qry.path));
+	return;
+
+err:
+	cgit_print_error_page(400, "Bad request", "Bad request");
 }
 
 void cgit_clone_head(void)
author	KatolaZ <katolaz@freaknet.org>	2018-08-06 12:23:51 +0100
committer	KatolaZ <katolaz@freaknet.org>	2018-08-06 12:23:51 +0100
commit	7fd094820d26cade130638a57847f20acb4ebe62 (patch)
tree	bdc3a6b8a6a53c0696aa7bc99bcb920132b5a1ce /ui-clone.c
parent	3f675fb1c087228111bf76b9d4ac7ef0ba18d153 (diff)
parent	fcc9b201ea499a424b3bda8c504c7beb7e0ec0bd (diff)