diff options
author | Todd Zullinger <tmz@pobox.com> | 2018-08-03 13:07:50 -0400 |
---|---|---|
committer | Todd Zullinger <tmz@pobox.com> | 2018-08-03 13:12:32 -0400 |
commit | a27c7dcd33114906a6e86f4a84344dadb31b4b2a (patch) | |
tree | 7d72cc3e48cc59dceee6cda3dc6e2e0e09c7e81b | |
parent | e433aeee122096cd30eaf6e8597534e1f334c6dd (diff) | |
download | cgit_EL6-a27c7dcd33114906a6e86f4a84344dadb31b4b2a.tar.gz |
Fix directory traversal vulnerability
References:
https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html
https://git.zx2c4.com/cgit/commit/?id=53efaf30b
-rw-r--r-- | 0001-clone-fix-directory-traversal.patch | 62 | ||||
-rw-r--r-- | cgit.spec | 9 |
2 files changed, 70 insertions, 1 deletions
diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch new file mode 100644 index 0000000..9f647f2 --- /dev/null +++ b/0001-clone-fix-directory-traversal.patch @@ -0,0 +1,62 @@ +From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" <Jason@zx2c4.com> +Date: Fri, 3 Aug 2018 15:46:11 +0200 +Subject: [PATCH] clone: fix directory traversal + +This was introduced in the initial version of this code, way back when +in 2008. + +$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd +root:x:0:0:root:/root:/bin/sh +... + +Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> +Reported-by: Jann Horn <jannh@google.com> +--- + ui-clone.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/ui-clone.c b/ui-clone.c +index 2c1ac3d..6ba8f36 100644 +--- a/ui-clone.c ++++ b/ui-clone.c +@@ -92,17 +92,32 @@ void cgit_clone_info(void) + + void cgit_clone_objects(void) + { +- if (!ctx.qry.path) { +- cgit_print_error_page(400, "Bad request", "Bad request"); +- return; +- } ++ char *p; ++ ++ if (!ctx.qry.path) ++ goto err; + + if (!strcmp(ctx.qry.path, "info/packs")) { + print_pack_info(); + return; + } + ++ /* Avoid directory traversal by forbidding "..", but also work around ++ * other funny business by just specifying a fairly strict format. For ++ * example, now we don't have to stress out about the Cygwin port. ++ */ ++ for (p = ctx.qry.path; *p; ++p) { ++ if (*p == '.' && *(p + 1) == '.') ++ goto err; ++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') ++ goto err; ++ } ++ + send_file(git_path("objects/%s", ctx.qry.path)); ++ return; ++ ++err: ++ cgit_print_error_page(400, "Bad request", "Bad request"); + } + + void cgit_clone_head(void) +-- +2.18.0 + @@ -17,7 +17,7 @@ Name: cgit Version: 1.1 -Release: 10%{?dist} +Release: 11%{?dist} Summary: A fast web interface for git Group: Development/Tools @@ -28,6 +28,9 @@ Source1: https://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.x Source2: cgitrc Source3: README.SELinux +# https://git.zx2c4.com/cgit/commit/?id=53efaf30b +Patch0: 0001-clone-fix-directory-traversal.patch + # Security guys might try to repoquery for this. Provides: bundled(git) = %gitver @@ -60,6 +63,7 @@ Cgit is a fast web interface for git. It uses caching to increase performance. %prep %setup -q -a 1 +%patch0 -p1 %if %{syntax_highlight} %patch1 -p1 %endif @@ -153,6 +157,9 @@ install -d -m0755 %{buildroot}%{cachedir} %changelog +* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11 +- Fix directory traversal vulnerability + * Sun Feb 18 2018 Todd Zullinger <tmz@pobox.com> - 1.1-10 - Use https for source URLs - Remove el5 conditionals |