[PATCH 1/2] http-backend: CGI error messages need to be output on stdout

[PATCH 1/2] http-backend: CGI error messages need to be output on stdout

[Jan Engelhardt]

Accessing a clone-only URL with a browser would always show a blank
page, because the reason string "Request is not supported" was
sent to the wrong file descriptor.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 http-backend.c          |  4 ++--
 t/t5561-http-backend.sh | 46 ++++++++++++++++++++---------------------
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git http-backend.c http-backend.c
index 3d6e2ff17f..8f1b69d127 100644
--- http-backend.c
+++ http-backend.c
@@ -134,7 +134,7 @@ static NORETURN void not_found(struct strbuf *hdr, const char *err, ...)
 
 	va_start(params, err);
 	if (err && *err)
-		vfprintf(stderr, err, params);
+		vprintf(err, params);
 	va_end(params);
 	exit(0);
 }
@@ -150,7 +150,7 @@ static NORETURN void forbidden(struct strbuf *hdr, const char *err, ...)
 
 	va_start(params, err);
 	if (err && *err)
-		vfprintf(stderr, err, params);
+		vprintf(err, params);
 	va_end(params);
 	exit(0);
 }
diff --git t/t5561-http-backend.sh t/t5561-http-backend.sh
index 9c57d84315..d8add36fb4 100755
--- t/t5561-http-backend.sh
+++ t/t5561-http-backend.sh
@@ -44,7 +44,7 @@ grep '^[^#]' >exp <<EOF
 
 ###  refs/heads/main
 ###
-GET  /smart/repo.git/refs/heads/main HTTP/1.1 404 -
+GET  /smart/repo.git/refs/heads/main HTTP/1.1 404
 
 ###  getanyfile default
 ###
@@ -59,14 +59,14 @@ GET  /smart/repo.git/$IDX_URL HTTP/1.1 200
 
 ###  no git-daemon-export-ok
 ###
-GET  /smart_noexport/repo.git/HEAD HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/info/refs HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/objects/info/packs HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/objects/info/alternates HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/objects/info/http-alternates HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/$LOOSE_URL HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/$PACK_URL HTTP/1.1 404 -
-GET  /smart_noexport/repo.git/$IDX_URL HTTP/1.1 404 -
+GET  /smart_noexport/repo.git/HEAD HTTP/1.1 404
+GET  /smart_noexport/repo.git/info/refs HTTP/1.1 404
+GET  /smart_noexport/repo.git/objects/info/packs HTTP/1.1 404
+GET  /smart_noexport/repo.git/objects/info/alternates HTTP/1.1 404
+GET  /smart_noexport/repo.git/objects/info/http-alternates HTTP/1.1 404
+GET  /smart_noexport/repo.git/$LOOSE_URL HTTP/1.1 404
+GET  /smart_noexport/repo.git/$PACK_URL HTTP/1.1 404
+GET  /smart_noexport/repo.git/$IDX_URL HTTP/1.1 404
 
 ###  git-daemon-export-ok
 ###
@@ -92,14 +92,14 @@ GET  /smart/repo.git/$IDX_URL HTTP/1.1 200
 
 ###  getanyfile false
 ###
-GET  /smart/repo.git/HEAD HTTP/1.1 403 -
-GET  /smart/repo.git/info/refs HTTP/1.1 403 -
-GET  /smart/repo.git/objects/info/packs HTTP/1.1 403 -
-GET  /smart/repo.git/objects/info/alternates HTTP/1.1 403 -
-GET  /smart/repo.git/objects/info/http-alternates HTTP/1.1 403 -
-GET  /smart/repo.git/$LOOSE_URL HTTP/1.1 403 -
-GET  /smart/repo.git/$PACK_URL HTTP/1.1 403 -
-GET  /smart/repo.git/$IDX_URL HTTP/1.1 403 -
+GET  /smart/repo.git/HEAD HTTP/1.1 403
+GET  /smart/repo.git/info/refs HTTP/1.1 403
+GET  /smart/repo.git/objects/info/packs HTTP/1.1 403
+GET  /smart/repo.git/objects/info/alternates HTTP/1.1 403
+GET  /smart/repo.git/objects/info/http-alternates HTTP/1.1 403
+GET  /smart/repo.git/$LOOSE_URL HTTP/1.1 403
+GET  /smart/repo.git/$PACK_URL HTTP/1.1 403
+GET  /smart/repo.git/$IDX_URL HTTP/1.1 403
 
 ###  uploadpack default
 ###
@@ -113,13 +113,13 @@ POST /smart/repo.git/git-upload-pack HTTP/1.1 200 -
 
 ###  uploadpack false
 ###
-GET  /smart/repo.git/info/refs?service=git-upload-pack HTTP/1.1 403 -
-POST /smart/repo.git/git-upload-pack HTTP/1.1 403 -
+GET  /smart/repo.git/info/refs?service=git-upload-pack HTTP/1.1 403
+POST /smart/repo.git/git-upload-pack HTTP/1.1 403
 
 ###  receivepack default
 ###
-GET  /smart/repo.git/info/refs?service=git-receive-pack HTTP/1.1 403 -
-POST /smart/repo.git/git-receive-pack HTTP/1.1 403 -
+GET  /smart/repo.git/info/refs?service=git-receive-pack HTTP/1.1 403
+POST /smart/repo.git/git-receive-pack HTTP/1.1 403
 
 ###  receivepack true
 ###
@@ -128,8 +128,8 @@ POST /smart/repo.git/git-receive-pack HTTP/1.1 200 -
 
 ###  receivepack false
 ###
-GET  /smart/repo.git/info/refs?service=git-receive-pack HTTP/1.1 403 -
-POST /smart/repo.git/git-receive-pack HTTP/1.1 403 -
+GET  /smart/repo.git/info/refs?service=git-receive-pack HTTP/1.1 403
+POST /smart/repo.git/git-receive-pack HTTP/1.1 403
 EOF
 test_expect_success 'server request log matches test results' '
 	check_access_log exp
-- 
2.34.0

[PATCH 2/2] http-backend: give a hint that web browser access is not supported

[Jan Engelhardt]

Add a paragraph that browsing to http-backend is not something
that should normally be done
 a webserver is configured to unconditionally pass requests
to git-http-backend, without any diversion to a gitweb frontend,
it is helpful to at least be told this.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 http-backend.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git http-backend.c http-backend.c
index 8f1b69d127..06e17d45a4 100644
--- http-backend.c
+++ http-backend.c
@@ -775,8 +775,15 @@ int cmd_main(int argc, const char **argv)
 		regfree(&re);
 	}
 
-	if (!cmd)
-		not_found(&hdr, "Request not supported: '%s'", dir);
+	if (!cmd) {
+		const char *hint = "";
+		if (strcmp(method, "GET") == 0)
+			hint = "You cannot use regular web browsing to access "
+			       "this URL. Only git operations like "
+			       "clone/ls-remote/etc. will work.\n";
+		not_found(&hdr, "%s request not supported on '%s'.\n%s",
+			  method, dir, hint);
+	}
 
 	setup_path();
 	if (!enter_repo(dir, 0))
-- 
2.34.0

Re: [PATCH 1/2] http-backend: CGI error messages need to be output on stdout

[Junio C Hamano]

Jan Engelhardt <jengelh@inai.de> writes:

> Accessing a clone-only URL with a browser would always show a blank
> page, because the reason string "Request is not supported" was

"is not supported" -> "not supported", I think.

> sent to the wrong file descriptor.

I looked at the messages given to not_found() and forbidden().  Most
of them do look like they are meant to be given to the remote user,
but some reveal the server side paths, and I am reluctant to judge
the security implication to start giving them, which have been
hidden so far, to the remote users.

I am not sure how strictly it is enforced these days, but at least
in early days we were fairly paranoid and aimed to make sure that a
remote user cannot tell a repository that does not exist from a
repository that the user does not have access to by throwing random
requests at the server.

http-backend.c:161:		forbidden(hdr, "Unsupported service: getanyfile");

This one should be safe, I would think.

http-backend.c:184:		not_found(hdr, "Cannot open '%s': %s", p, strerror(errno));

The 'p' is a path to a file in the repository like
'objects/alternates', that is ready to be given to open(2), so it
clearly leaks the path on the server.

http-backend.c:260:		forbidden(hdr, "Unsupported service: '%s'", name);
http-backend.c:271:		forbidden(hdr, "Unsupported service: '%s'", name);
http-backend.c:278:		forbidden(hdr, "Service not enabled: '%s'", svc->name);

These I think should be benign, but I have to admit that I didn't
think too deep about them.