From: Sebastian Kisela <skisela@redhat.com>
To: git@vger.kernel.org
Cc: nico@fluxnic.net, larsxschneider@gmail.com, lfleischer@lfos.de,
skisela@redhat.com
Subject: [PATCH] Sanitize escape char sequences coming from server
Date: Thu, 21 Jun 2018 14:10:30 +0200 [thread overview]
Message-ID: <20180621121030.1721-1-sebastian.kisela@gmail.com> (raw)
From: Sebastian Kisela <skisela@redhat.com>
Fix volnurability against MITM attacks on client side
by replacing non printable and non white space characters
by "?".
Fixes: CVE-2018-1000021
Signed-off-by: Sebastian Kisela <skisela@redhat.com>
---
sideband.c | 20 ++++++++++++++++++++
t/t5401-update-hooks.sh | 23 +++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/sideband.c b/sideband.c
index 325bf0e97..8c9d74ace 100644
--- a/sideband.c
+++ b/sideband.c
@@ -1,3 +1,4 @@
+#include <wchar.h>
#include "cache.h"
#include "pkt-line.h"
#include "sideband.h"
@@ -18,6 +19,20 @@
#define ANSI_SUFFIX "\033[K"
#define DUMB_SUFFIX " "
+int sanitize_server_message(struct strbuf *outbuf)
+{
+ wchar_t *wcstring = xmalloc(sizeof(wchar_t) * outbuf->len);
+ int len = mbstowcs(wcstring, outbuf->buf, outbuf->len);
+ if (len == -1)
+ return 1;
+ for(int i = 0; i <= len; i++)
+ if(!isprint(wcstring[i]) && !isspace(wcstring[i]) )
+ wcstring[i] = '?';
+ if (wcstombs(outbuf->buf, wcstring, outbuf->len) == -1)
+ return 1;
+ return 0;
+}
+
int recv_sideband(const char *me, int in_stream, int out)
{
const char *suffix;
@@ -74,6 +89,9 @@ int recv_sideband(const char *me, int in_stream, int out)
} else {
strbuf_addch(&outbuf, *brk);
}
+
+ if (sanitize_server_message(&outbuf))
+ retval = SIDEBAND_REMOTE_ERROR;
xwrite(2, outbuf.buf, outbuf.len);
strbuf_reset(&outbuf);
@@ -97,6 +115,8 @@ int recv_sideband(const char *me, int in_stream, int out)
if (outbuf.len) {
strbuf_addch(&outbuf, '\n');
+ if (sanitize_server_message(&outbuf))
+ retval = SIDEBAND_REMOTE_ERROR;
xwrite(2, outbuf.buf, outbuf.len);
}
strbuf_release(&outbuf);
diff --git a/t/t5401-update-hooks.sh b/t/t5401-update-hooks.sh
index 7f278d8ce..cc1f6ca29 100755
--- a/t/t5401-update-hooks.sh
+++ b/t/t5401-update-hooks.sh
@@ -148,4 +148,27 @@ test_expect_success 'pre-receive hook that forgets to read its input' '
git push ./victim.git "+refs/heads/*:refs/heads/*"
'
+cat <<EOF >expect
+remote: foo?[0;31mbar?[0m
+To ./victim.git
+ * [new branch] victim_branch -> victim_branch
+EOF
+cat >victim.git/hooks/pre-receive <<'EOF'
+#!/bin/sh
+ printf "foo\033[0;31mbar\033[0m"
+ exit 0
+EOF
+chmod u+x victim.git/hooks/pre-receive
+test_expect_success 'pre-receive stderr contains ANSI colors' '
+ rm -f victim.git/hooks/update victim.git/hooks/post-receive &&
+
+ git branch victim_branch master &&
+ git push ./victim.git "+refs/heads/victim_branch:refs/heads/victim_branch"\
+ >send.out 2>send.err &&
+
+ cat send.err > actual &&
+
+ test_cmp expect actual
+'
+
test_done
--
2.14.4
next reply other threads:[~2018-06-21 12:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-21 12:10 Sebastian Kisela [this message]
2018-06-21 17:41 ` [PATCH] Sanitize escape char sequences coming from server Jeff King
2018-06-21 18:09 ` Pavel Cahyna
2018-06-21 18:51 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180621121030.1721-1-sebastian.kisela@gmail.com \
--to=skisela@redhat.com \
--cc=git@vger.kernel.org \
--cc=larsxschneider@gmail.com \
--cc=lfleischer@lfos.de \
--cc=nico@fluxnic.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).