From 2f4038ab337e55017d4ff21ddbae9427544ca02c Mon Sep 17 00:00:00 2001 From: "Shawn O. Pearce" Date: Fri, 30 Oct 2009 17:47:32 -0700 Subject: Git-aware CGI to provide dumb HTTP transport The git-http-backend CGI can be configured into any Apache server using ScriptAlias, such as with the following configuration: LoadModule cgi_module /usr/libexec/apache2/mod_cgi.so LoadModule alias_module /usr/libexec/apache2/mod_alias.so ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ Repositories are accessed via the translated PATH_INFO. The CGI is backwards compatible with the dumb client, allowing all older HTTP clients to continue to download repositories which are managed by the CGI. Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- http-backend.c | 289 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 289 insertions(+) create mode 100644 http-backend.c (limited to 'http-backend.c') diff --git a/http-backend.c b/http-backend.c new file mode 100644 index 0000000000..22bec56b98 --- /dev/null +++ b/http-backend.c @@ -0,0 +1,289 @@ +#include "cache.h" +#include "refs.h" +#include "pkt-line.h" +#include "object.h" +#include "tag.h" +#include "exec_cmd.h" + +static const char content_type[] = "Content-Type"; +static const char content_length[] = "Content-Length"; +static const char last_modified[] = "Last-Modified"; + +static void format_write(int fd, const char *fmt, ...) +{ + static char buffer[1024]; + + va_list args; + unsigned n; + + va_start(args, fmt); + n = vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + if (n >= sizeof(buffer)) + die("protocol error: impossibly long line"); + + safe_write(fd, buffer, n); +} + +static void http_status(unsigned code, const char *msg) +{ + format_write(1, "Status: %u %s\r\n", code, msg); +} + +static void hdr_str(const char *name, const char *value) +{ + format_write(1, "%s: %s\r\n", name, value); +} + +static void hdr_int(const char *name, size_t value) +{ + format_write(1, "%s: %" PRIuMAX "\r\n", name, value); +} + +static void hdr_date(const char *name, unsigned long when) +{ + const char *value = show_date(when, 0, DATE_RFC2822); + hdr_str(name, value); +} + +static void hdr_nocache(void) +{ + hdr_str("Expires", "Fri, 01 Jan 1980 00:00:00 GMT"); + hdr_str("Pragma", "no-cache"); + hdr_str("Cache-Control", "no-cache, max-age=0, must-revalidate"); +} + +static void hdr_cache_forever(void) +{ + unsigned long now = time(NULL); + hdr_date("Date", now); + hdr_date("Expires", now + 31536000); + hdr_str("Cache-Control", "public, max-age=31536000"); +} + +static void end_headers(void) +{ + safe_write(1, "\r\n", 2); +} + +static NORETURN void not_found(const char *err, ...) +{ + va_list params; + + http_status(404, "Not Found"); + hdr_nocache(); + end_headers(); + + va_start(params, err); + if (err && *err) + vfprintf(stderr, err, params); + va_end(params); + exit(0); +} + +static void send_strbuf(const char *type, struct strbuf *buf) +{ + hdr_int(content_length, buf->len); + hdr_str(content_type, type); + end_headers(); + safe_write(1, buf->buf, buf->len); +} + +static void send_file(const char *the_type, const char *name) +{ + const char *p = git_path("%s", name); + size_t buf_alloc = 8192; + char *buf = xmalloc(buf_alloc); + int fd; + struct stat sb; + size_t size; + + fd = open(p, O_RDONLY); + if (fd < 0) + not_found("Cannot open '%s': %s", p, strerror(errno)); + if (fstat(fd, &sb) < 0) + die_errno("Cannot stat '%s'", p); + + size = xsize_t(sb.st_size); + + hdr_int(content_length, size); + hdr_str(content_type, the_type); + hdr_date(last_modified, sb.st_mtime); + end_headers(); + + while (size) { + ssize_t n = xread(fd, buf, buf_alloc); + if (n < 0) + die_errno("Cannot read '%s'", p); + if (!n) + break; + safe_write(1, buf, n); + } + close(fd); + free(buf); +} + +static void get_text_file(char *name) +{ + hdr_nocache(); + send_file("text/plain", name); +} + +static void get_loose_object(char *name) +{ + hdr_cache_forever(); + send_file("application/x-git-loose-object", name); +} + +static void get_pack_file(char *name) +{ + hdr_cache_forever(); + send_file("application/x-git-packed-objects", name); +} + +static void get_idx_file(char *name) +{ + hdr_cache_forever(); + send_file("application/x-git-packed-objects-toc", name); +} + +static int show_text_ref(const char *name, const unsigned char *sha1, + int flag, void *cb_data) +{ + struct strbuf *buf = cb_data; + struct object *o = parse_object(sha1); + if (!o) + return 0; + + strbuf_addf(buf, "%s\t%s\n", sha1_to_hex(sha1), name); + if (o->type == OBJ_TAG) { + o = deref_tag(o, name, 0); + if (!o) + return 0; + strbuf_addf(buf, "%s\t%s^{}\n", sha1_to_hex(o->sha1), name); + } + return 0; +} + +static void get_info_refs(char *arg) +{ + struct strbuf buf = STRBUF_INIT; + + for_each_ref(show_text_ref, &buf); + hdr_nocache(); + send_strbuf("text/plain", &buf); + strbuf_release(&buf); +} + +static void get_info_packs(char *arg) +{ + size_t objdirlen = strlen(get_object_directory()); + struct strbuf buf = STRBUF_INIT; + struct packed_git *p; + size_t cnt = 0; + + prepare_packed_git(); + for (p = packed_git; p; p = p->next) { + if (p->pack_local) + cnt++; + } + + strbuf_grow(&buf, cnt * 53 + 2); + for (p = packed_git; p; p = p->next) { + if (p->pack_local) + strbuf_addf(&buf, "P %s\n", p->pack_name + objdirlen + 6); + } + strbuf_addch(&buf, '\n'); + + hdr_nocache(); + send_strbuf("text/plain; charset=utf-8", &buf); + strbuf_release(&buf); +} + +static NORETURN void die_webcgi(const char *err, va_list params) +{ + char buffer[1000]; + + http_status(500, "Internal Server Error"); + hdr_nocache(); + end_headers(); + + vsnprintf(buffer, sizeof(buffer), err, params); + fprintf(stderr, "fatal: %s\n", buffer); + exit(0); +} + +static struct service_cmd { + const char *method; + const char *pattern; + void (*imp)(char *); +} services[] = { + {"GET", "/HEAD$", get_text_file}, + {"GET", "/info/refs$", get_info_refs}, + {"GET", "/objects/info/alternates$", get_text_file}, + {"GET", "/objects/info/http-alternates$", get_text_file}, + {"GET", "/objects/info/packs$", get_info_packs}, + {"GET", "/objects/[0-9a-f]{2}/[0-9a-f]{38}$", get_loose_object}, + {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.pack$", get_pack_file}, + {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.idx$", get_idx_file} +}; + +int main(int argc, char **argv) +{ + char *method = getenv("REQUEST_METHOD"); + char *dir = getenv("PATH_TRANSLATED"); + struct service_cmd *cmd = NULL; + char *cmd_arg = NULL; + int i; + + git_extract_argv0_path(argv[0]); + set_die_routine(die_webcgi); + + if (!method) + die("No REQUEST_METHOD from server"); + if (!strcmp(method, "HEAD")) + method = "GET"; + if (!dir) + die("No PATH_TRANSLATED from server"); + + for (i = 0; i < ARRAY_SIZE(services); i++) { + struct service_cmd *c = &services[i]; + regex_t re; + regmatch_t out[1]; + + if (regcomp(&re, c->pattern, REG_EXTENDED)) + die("Bogus regex in service table: %s", c->pattern); + if (!regexec(&re, dir, 1, out, 0)) { + size_t n = out[0].rm_eo - out[0].rm_so; + + if (strcmp(method, c->method)) { + const char *proto = getenv("SERVER_PROTOCOL"); + if (proto && !strcmp(proto, "HTTP/1.1")) + http_status(405, "Method Not Allowed"); + else + http_status(400, "Bad Request"); + hdr_nocache(); + end_headers(); + return 0; + } + + cmd = c; + cmd_arg = xmalloc(n); + strncpy(cmd_arg, dir + out[0].rm_so + 1, n); + cmd_arg[n] = '\0'; + dir[out[0].rm_so] = 0; + break; + } + regfree(&re); + } + + if (!cmd) + not_found("Request not supported: '%s'", dir); + + setup_path(); + if (!enter_repo(dir, 0)) + not_found("Not a git repository: '%s'", dir); + + cmd->imp(cmd_arg); + return 0; +} -- cgit v1.2.3 From 556cfa3b6d316074d41cd73c4659402fdb6207c8 Mon Sep 17 00:00:00 2001 From: "Shawn O. Pearce" Date: Fri, 30 Oct 2009 17:47:34 -0700 Subject: Smart fetch and push over HTTP: server side Requests for $GIT_URL/git-receive-pack and $GIT_URL/git-upload-pack are forwarded to the corresponding backend process by directly executing it and leaving stdin and stdout connected to the invoking web server. Prior to starting the backend process the HTTP response headers are sent, thereby freeing the backend from needing to know about the HTTP protocol. Requests that are encoded with Content-Encoding: gzip are automatically inflated before being streamed into the backend. This is primarily useful for the git-upload-pack backend, which receives highly repetitive text data from clients that easily compresses to 50% of its original size. Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- Documentation/git-http-backend.txt | 39 ++++- http-backend.c | 324 ++++++++++++++++++++++++++++++++++++- 2 files changed, 359 insertions(+), 4 deletions(-) (limited to 'http-backend.c') diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt index 867675fcec..022a2433a8 100644 --- a/Documentation/git-http-backend.txt +++ b/Documentation/git-http-backend.txt @@ -22,6 +22,23 @@ By default, only the `upload-pack` service is enabled, which serves This is ideally suited for read-only updates, i.e., pulling from git repositories. +SERVICES +-------- +These services can be enabled/disabled using the per-repository +configuration file: + +http.uploadpack:: + This serves 'git-fetch-pack' and 'git-ls-remote' clients. + It is enabled by default, but a repository can disable it + by setting this configuration item to `false`. + +http.receivepack:: + This serves 'git-send-pack' clients, allowing push. It is + disabled by default for anonymous users, and enabled by + default for users authenticated by the web server. It can be + disabled by setting this item to `false`, or enabled for all + users, including anonymous users, by setting it to `true`. + URL TRANSLATION --------------- 'git-http-backend' relies on the invoking web server to perform @@ -49,7 +66,19 @@ ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/git/ ---------------------------------------------------------------- + -To require authentication for reads, use a Directory +To enable anonymous read access but authenticated write access, +require authorization with a LocationMatch directive: ++ +---------------------------------------------------------------- + + AuthType Basic + AuthName "Git Access" + Require group committers + ... + +---------------------------------------------------------------- ++ +To require authentication for both reads and writes, use a Directory directive around the repository, or one of its parent directories: + ---------------------------------------------------------------- @@ -92,6 +121,14 @@ by the invoking web server, including: * QUERY_STRING * REQUEST_METHOD +The backend process sets GIT_COMMITTER_NAME to '$REMOTE_USER' and +GIT_COMMITTER_EMAIL to '$\{REMOTE_USER}@http.$\{REMOTE_ADDR\}', +ensuring that any reflogs created by 'git-receive-pack' contain some +identifying information of the remote user who performed the push. + +All CGI environment variables are available to each of the hooks +invoked by the 'git-receive-pack'. + Author ------ Written by Shawn O. Pearce . diff --git a/http-backend.c b/http-backend.c index 22bec56b98..bfce52063f 100644 --- a/http-backend.c +++ b/http-backend.c @@ -4,11 +4,109 @@ #include "object.h" #include "tag.h" #include "exec_cmd.h" +#include "run-command.h" +#include "string-list.h" static const char content_type[] = "Content-Type"; static const char content_length[] = "Content-Length"; static const char last_modified[] = "Last-Modified"; +static struct string_list *query_params; + +struct rpc_service { + const char *name; + const char *config_name; + signed enabled : 2; +}; + +static struct rpc_service rpc_service[] = { + { "upload-pack", "uploadpack", 1 }, + { "receive-pack", "receivepack", -1 }, +}; + +static int decode_char(const char *q) +{ + int i; + unsigned char val = 0; + for (i = 0; i < 2; i++) { + unsigned char c = *q++; + val <<= 4; + if (c >= '0' && c <= '9') + val += c - '0'; + else if (c >= 'a' && c <= 'f') + val += c - 'a' + 10; + else if (c >= 'A' && c <= 'F') + val += c - 'A' + 10; + else + return -1; + } + return val; +} + +static char *decode_parameter(const char **query, int is_name) +{ + const char *q = *query; + struct strbuf out; + + strbuf_init(&out, 16); + do { + unsigned char c = *q; + + if (!c) + break; + if (c == '&' || (is_name && c == '=')) { + q++; + break; + } + + if (c == '%') { + int val = decode_char(q + 1); + if (0 <= val) { + strbuf_addch(&out, val); + q += 3; + continue; + } + } + + if (c == '+') + strbuf_addch(&out, ' '); + else + strbuf_addch(&out, c); + q++; + } while (1); + *query = q; + return strbuf_detach(&out, NULL); +} + +static struct string_list *get_parameters(void) +{ + if (!query_params) { + const char *query = getenv("QUERY_STRING"); + + query_params = xcalloc(1, sizeof(*query_params)); + while (query && *query) { + char *name = decode_parameter(&query, 1); + char *value = decode_parameter(&query, 0); + struct string_list_item *i; + + i = string_list_lookup(name, query_params); + if (!i) + i = string_list_insert(name, query_params); + else + free(i->util); + i->util = value; + } + } + return query_params; +} + +static const char *get_parameter(const char *name) +{ + struct string_list_item *i; + i = string_list_lookup(name, get_parameters()); + return i ? i->util : NULL; +} + static void format_write(int fd, const char *fmt, ...) { static char buffer[1024]; @@ -81,6 +179,21 @@ static NORETURN void not_found(const char *err, ...) exit(0); } +static NORETURN void forbidden(const char *err, ...) +{ + va_list params; + + http_status(403, "Forbidden"); + hdr_nocache(); + end_headers(); + + va_start(params, err); + if (err && *err) + vfprintf(stderr, err, params); + va_end(params); + exit(0); +} + static void send_strbuf(const char *type, struct strbuf *buf) { hdr_int(content_length, buf->len); @@ -147,6 +260,145 @@ static void get_idx_file(char *name) send_file("application/x-git-packed-objects-toc", name); } +static int http_config(const char *var, const char *value, void *cb) +{ + struct rpc_service *svc = cb; + + if (!prefixcmp(var, "http.") && + !strcmp(var + 5, svc->config_name)) { + svc->enabled = git_config_bool(var, value); + return 0; + } + + /* we are not interested in parsing any other configuration here */ + return 0; +} + +static struct rpc_service *select_service(const char *name) +{ + struct rpc_service *svc = NULL; + int i; + + if (prefixcmp(name, "git-")) + forbidden("Unsupported service: '%s'", name); + + for (i = 0; i < ARRAY_SIZE(rpc_service); i++) { + struct rpc_service *s = &rpc_service[i]; + if (!strcmp(s->name, name + 4)) { + svc = s; + break; + } + } + + if (!svc) + forbidden("Unsupported service: '%s'", name); + + git_config(http_config, svc); + if (svc->enabled < 0) { + const char *user = getenv("REMOTE_USER"); + svc->enabled = (user && *user) ? 1 : 0; + } + if (!svc->enabled) + forbidden("Service not enabled: '%s'", svc->name); + return svc; +} + +static void inflate_request(const char *prog_name, int out) +{ + z_stream stream; + unsigned char in_buf[8192]; + unsigned char out_buf[8192]; + unsigned long cnt = 0; + int ret; + + memset(&stream, 0, sizeof(stream)); + ret = inflateInit2(&stream, (15 + 16)); + if (ret != Z_OK) + die("cannot start zlib inflater, zlib err %d", ret); + + while (1) { + ssize_t n = xread(0, in_buf, sizeof(in_buf)); + if (n <= 0) + die("request ended in the middle of the gzip stream"); + + stream.next_in = in_buf; + stream.avail_in = n; + + while (0 < stream.avail_in) { + int ret; + + stream.next_out = out_buf; + stream.avail_out = sizeof(out_buf); + + ret = inflate(&stream, Z_NO_FLUSH); + if (ret != Z_OK && ret != Z_STREAM_END) + die("zlib error inflating request, result %d", ret); + + n = stream.total_out - cnt; + if (write_in_full(out, out_buf, n) != n) + die("%s aborted reading request", prog_name); + cnt += n; + + if (ret == Z_STREAM_END) + goto done; + } + } + +done: + inflateEnd(&stream); + close(out); +} + +static void run_service(const char **argv) +{ + const char *encoding = getenv("HTTP_CONTENT_ENCODING"); + const char *user = getenv("REMOTE_USER"); + const char *host = getenv("REMOTE_ADDR"); + char *env[3]; + struct strbuf buf = STRBUF_INIT; + int gzipped_request = 0; + struct child_process cld; + + if (encoding && !strcmp(encoding, "gzip")) + gzipped_request = 1; + else if (encoding && !strcmp(encoding, "x-gzip")) + gzipped_request = 1; + + if (!user || !*user) + user = "anonymous"; + if (!host || !*host) + host = "(none)"; + + memset(&env, 0, sizeof(env)); + strbuf_addf(&buf, "GIT_COMMITTER_NAME=%s", user); + env[0] = strbuf_detach(&buf, NULL); + + strbuf_addf(&buf, "GIT_COMMITTER_EMAIL=%s@http.%s", user, host); + env[1] = strbuf_detach(&buf, NULL); + env[2] = NULL; + + memset(&cld, 0, sizeof(cld)); + cld.argv = argv; + cld.env = (const char *const *)env; + if (gzipped_request) + cld.in = -1; + cld.git_cmd = 1; + if (start_command(&cld)) + exit(1); + + close(1); + if (gzipped_request) + inflate_request(argv[0], cld.in); + else + close(0); + + if (finish_command(&cld)) + exit(1); + free(env[0]); + free(env[1]); + strbuf_release(&buf); +} + static int show_text_ref(const char *name, const unsigned char *sha1, int flag, void *cb_data) { @@ -167,11 +419,32 @@ static int show_text_ref(const char *name, const unsigned char *sha1, static void get_info_refs(char *arg) { + const char *service_name = get_parameter("service"); struct strbuf buf = STRBUF_INIT; - for_each_ref(show_text_ref, &buf); hdr_nocache(); - send_strbuf("text/plain", &buf); + + if (service_name) { + const char *argv[] = {NULL /* service name */, + "--stateless-rpc", "--advertise-refs", + ".", NULL}; + struct rpc_service *svc = select_service(service_name); + + strbuf_addf(&buf, "application/x-git-%s-advertisement", + svc->name); + hdr_str(content_type, buf.buf); + end_headers(); + + packet_write(1, "# service=git-%s\n", svc->name); + packet_flush(1); + + argv[0] = svc->name; + run_service(argv); + + } else { + for_each_ref(show_text_ref, &buf); + send_strbuf("text/plain", &buf); + } strbuf_release(&buf); } @@ -200,6 +473,48 @@ static void get_info_packs(char *arg) strbuf_release(&buf); } +static void check_content_type(const char *accepted_type) +{ + const char *actual_type = getenv("CONTENT_TYPE"); + + if (!actual_type) + actual_type = ""; + + if (strcmp(actual_type, accepted_type)) { + http_status(415, "Unsupported Media Type"); + hdr_nocache(); + end_headers(); + format_write(1, + "Expected POST with Content-Type '%s'," + " but received '%s' instead.\n", + accepted_type, actual_type); + exit(0); + } +} + +static void service_rpc(char *service_name) +{ + const char *argv[] = {NULL, "--stateless-rpc", ".", NULL}; + struct rpc_service *svc = select_service(service_name); + struct strbuf buf = STRBUF_INIT; + + strbuf_reset(&buf); + strbuf_addf(&buf, "application/x-git-%s-request", svc->name); + check_content_type(buf.buf); + + hdr_nocache(); + + strbuf_reset(&buf); + strbuf_addf(&buf, "application/x-git-%s-result", svc->name); + hdr_str(content_type, buf.buf); + + end_headers(); + + argv[0] = svc->name; + run_service(argv); + strbuf_release(&buf); +} + static NORETURN void die_webcgi(const char *err, va_list params) { char buffer[1000]; @@ -225,7 +540,10 @@ static struct service_cmd { {"GET", "/objects/info/packs$", get_info_packs}, {"GET", "/objects/[0-9a-f]{2}/[0-9a-f]{38}$", get_loose_object}, {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.pack$", get_pack_file}, - {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.idx$", get_idx_file} + {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.idx$", get_idx_file}, + + {"POST", "/git-upload-pack$", service_rpc}, + {"POST", "/git-receive-pack$", service_rpc} }; int main(int argc, char **argv) -- cgit v1.2.3 From 917adc036086f52b0277ff03d10b7044c9d9d0d2 Mon Sep 17 00:00:00 2001 From: Mark Lodato Date: Fri, 30 Oct 2009 17:47:35 -0700 Subject: http-backend: add GIT_PROJECT_ROOT environment var Add a new environment variable, GIT_PROJECT_ROOT, to override the method of using PATH_TRANSLATED to find the git repository on disk. This makes it much easier to configure the web server, especially when the web server's DocumentRoot does not contain the git repositories, which is the usual case. Signed-off-by: Mark Lodato Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- Documentation/git-http-backend.txt | 39 +++++++++++++++++--------------------- http-backend.c | 25 +++++++++++++++++++++--- 2 files changed, 39 insertions(+), 25 deletions(-) (limited to 'http-backend.c') diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt index 022a2433a8..99dbbfb966 100644 --- a/Documentation/git-http-backend.txt +++ b/Documentation/git-http-backend.txt @@ -41,29 +41,24 @@ http.receivepack:: URL TRANSLATION --------------- -'git-http-backend' relies on the invoking web server to perform -URL to path translation, and store the repository path into the -PATH_TRANSLATED environment variable. Most web servers will do -this translation automatically, resolving the suffix after the -CGI name relative to the server's document root. +To determine the location of the repository on disk, 'git-http-backend' +concatenates the environment variables PATH_INFO, which is set +automatically by the web server, and GIT_PROJECT_ROOT, which must be set +manually in the web server configuration. If GIT_PROJECT_ROOT is not +set, 'git-http-backend' reads PATH_TRANSLATED, which is also set +automatically by the web server. EXAMPLES -------- Apache 2.x:: - To serve all Git repositories contained within the '/git/' - subdirectory of the DocumentRoot, ensure mod_cgi and - mod_alias are enabled, and create a ScriptAlias to the CGI: + Ensure mod_cgi, mod_alias, and mod_env are enabled, set + GIT_PROJECT_ROOT (or DocumentRoot) appropriately, and + create a ScriptAlias to the CGI: + ---------------------------------------------------------------- -ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/git/ - - - Options None - - - Options ExecCGI - +SetEnv GIT_PROJECT_ROOT /var/www/git +ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ ---------------------------------------------------------------- + To enable anonymous read access but authenticated write access, @@ -78,16 +73,16 @@ require authorization with a LocationMatch directive: ---------------------------------------------------------------- + -To require authentication for both reads and writes, use a Directory +To require authentication for both reads and writes, use a Location directive around the repository, or one of its parent directories: + ---------------------------------------------------------------- - + AuthType Basic AuthName "Private Git Access" Require group committers ... - + ---------------------------------------------------------------- Accelerated static Apache 2.x:: @@ -97,9 +92,9 @@ Accelerated static Apache 2.x:: file contents from the file system directly to the network: + ---------------------------------------------------------------- -DocumentRoot /var/www +SetEnv GIT_PROJECT_ROOT /var/www/git -ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/git/ +ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ Alias /git_static/ /var/www/git/ RewriteEngine on @@ -114,7 +109,7 @@ ENVIRONMENT 'git-http-backend' relies upon the CGI environment variables set by the invoking web server, including: -* PATH_TRANSLATED +* PATH_INFO (if GIT_PROJECT_ROOT is set, otherwise PATH_TRANSLATED) * REMOTE_USER * REMOTE_ADDR * CONTENT_TYPE diff --git a/http-backend.c b/http-backend.c index bfce52063f..7900cda69a 100644 --- a/http-backend.c +++ b/http-backend.c @@ -528,6 +528,26 @@ static NORETURN void die_webcgi(const char *err, va_list params) exit(0); } +static char* getdir(void) +{ + struct strbuf buf = STRBUF_INIT; + char *pathinfo = getenv("PATH_INFO"); + char *root = getenv("GIT_PROJECT_ROOT"); + char *path = getenv("PATH_TRANSLATED"); + + if (root && *root) { + if (!pathinfo || !*pathinfo) + die("GIT_PROJECT_ROOT is set but PATH_INFO is not"); + strbuf_addstr(&buf, root); + strbuf_addstr(&buf, pathinfo); + return strbuf_detach(&buf, NULL); + } else if (path && *path) { + return xstrdup(path); + } else + die("No GIT_PROJECT_ROOT or PATH_TRANSLATED from server"); + return NULL; +} + static struct service_cmd { const char *method; const char *pattern; @@ -549,7 +569,7 @@ static struct service_cmd { int main(int argc, char **argv) { char *method = getenv("REQUEST_METHOD"); - char *dir = getenv("PATH_TRANSLATED"); + char *dir; struct service_cmd *cmd = NULL; char *cmd_arg = NULL; int i; @@ -561,8 +581,7 @@ int main(int argc, char **argv) die("No REQUEST_METHOD from server"); if (!strcmp(method, "HEAD")) method = "GET"; - if (!dir) - die("No PATH_TRANSLATED from server"); + dir = getdir(); for (i = 0; i < ARRAY_SIZE(services); i++) { struct service_cmd *c = &services[i]; -- cgit v1.2.3 From 5abb013b3ddfb42e5baa3c7de052af596a0ee82f Mon Sep 17 00:00:00 2001 From: "Shawn O. Pearce" Date: Wed, 4 Nov 2009 17:16:37 -0800 Subject: http-backend: Use http.getanyfile to disable dumb HTTP serving Some repository owners may wish to enable smart HTTP, but disallow dumb content serving. Disallowing dumb serving might be because the owners want to rely upon reachability to control which objects clients may access from the repository, or they just want to encourage clients to use the more bandwidth efficient transport. If http.getanyfile is set to false the backend CGI will return with '403 Forbidden' when an object file is accessed by a dumb client. Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- Documentation/git-http-backend.txt | 8 ++++++++ http-backend.c | 34 ++++++++++++++++++++++++++++------ 2 files changed, 36 insertions(+), 6 deletions(-) (limited to 'http-backend.c') diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt index f17251ab9d..67aec067c8 100644 --- a/Documentation/git-http-backend.txt +++ b/Documentation/git-http-backend.txt @@ -29,6 +29,14 @@ SERVICES These services can be enabled/disabled using the per-repository configuration file: +http.getanyfile:: + This serves older Git clients which are unable to use the + upload pack service. When enabled, clients are able to read + any file within the repository, including objects that are + no longer reachable from a branch but are still present. + It is enabled by default, but a repository can disable it + by setting this configuration item to `false`. + http.uploadpack:: This serves 'git-fetch-pack' and 'git-ls-remote' clients. It is enabled by default, but a repository can disable it diff --git a/http-backend.c b/http-backend.c index 7900cda69a..902126675a 100644 --- a/http-backend.c +++ b/http-backend.c @@ -10,6 +10,7 @@ static const char content_type[] = "Content-Type"; static const char content_length[] = "Content-Length"; static const char last_modified[] = "Last-Modified"; +static int getanyfile = 1; static struct string_list *query_params; @@ -194,6 +195,12 @@ static NORETURN void forbidden(const char *err, ...) exit(0); } +static void select_getanyfile(void) +{ + if (!getanyfile) + forbidden("Unsupported service: getanyfile"); +} + static void send_strbuf(const char *type, struct strbuf *buf) { hdr_int(content_length, buf->len); @@ -238,38 +245,51 @@ static void send_file(const char *the_type, const char *name) static void get_text_file(char *name) { + select_getanyfile(); hdr_nocache(); send_file("text/plain", name); } static void get_loose_object(char *name) { + select_getanyfile(); hdr_cache_forever(); send_file("application/x-git-loose-object", name); } static void get_pack_file(char *name) { + select_getanyfile(); hdr_cache_forever(); send_file("application/x-git-packed-objects", name); } static void get_idx_file(char *name) { + select_getanyfile(); hdr_cache_forever(); send_file("application/x-git-packed-objects-toc", name); } static int http_config(const char *var, const char *value, void *cb) { - struct rpc_service *svc = cb; - - if (!prefixcmp(var, "http.") && - !strcmp(var + 5, svc->config_name)) { - svc->enabled = git_config_bool(var, value); + if (!strcmp(var, "http.getanyfile")) { + getanyfile = git_config_bool(var, value); return 0; } + if (!prefixcmp(var, "http.")) { + int i; + + for (i = 0; i < ARRAY_SIZE(rpc_service); i++) { + struct rpc_service *svc = &rpc_service[i]; + if (!strcmp(var + 5, svc->config_name)) { + svc->enabled = git_config_bool(var, value); + return 0; + } + } + } + /* we are not interested in parsing any other configuration here */ return 0; } @@ -293,7 +313,6 @@ static struct rpc_service *select_service(const char *name) if (!svc) forbidden("Unsupported service: '%s'", name); - git_config(http_config, svc); if (svc->enabled < 0) { const char *user = getenv("REMOTE_USER"); svc->enabled = (user && *user) ? 1 : 0; @@ -442,6 +461,7 @@ static void get_info_refs(char *arg) run_service(argv); } else { + select_getanyfile(); for_each_ref(show_text_ref, &buf); send_strbuf("text/plain", &buf); } @@ -455,6 +475,7 @@ static void get_info_packs(char *arg) struct packed_git *p; size_t cnt = 0; + select_getanyfile(); prepare_packed_git(); for (p = packed_git; p; p = p->next) { if (p->pack_local) @@ -621,6 +642,7 @@ int main(int argc, char **argv) if (!enter_repo(dir, 0)) not_found("Not a git repository: '%s'", dir); + git_config(http_config, NULL); cmd->imp(cmd_arg); return 0; } -- cgit v1.2.3 From 92815b3363c6cf317337437a986bdf2e8f1aa3a0 Mon Sep 17 00:00:00 2001 From: "Shawn O. Pearce" Date: Mon, 9 Nov 2009 07:24:33 -0800 Subject: Git-aware CGI to provide dumb HTTP transport http-backend: Fix symbol clash on AIX 5.3 Mike says: > > +static void send_file(const char *the_type, const char *name) > > +{ > > I think a symbol clash here is responsible for a build breakage in > next on AIX 5.3: > > CC http-backend.o > http-backend.c:213: error: conflicting types for `send_file' > /usr/include/sys/socket.h:676: error: previous declaration of `send_file' > gmake: *** [http-backend.o] Error 1 So we rename the function send_local_file(). Reported-by: Mike Ralphson Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- http-backend.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'http-backend.c') diff --git a/http-backend.c b/http-backend.c index 902126675a..646e9108bd 100644 --- a/http-backend.c +++ b/http-backend.c @@ -209,7 +209,7 @@ static void send_strbuf(const char *type, struct strbuf *buf) safe_write(1, buf->buf, buf->len); } -static void send_file(const char *the_type, const char *name) +static void send_local_file(const char *the_type, const char *name) { const char *p = git_path("%s", name); size_t buf_alloc = 8192; @@ -247,28 +247,28 @@ static void get_text_file(char *name) { select_getanyfile(); hdr_nocache(); - send_file("text/plain", name); + send_local_file("text/plain", name); } static void get_loose_object(char *name) { select_getanyfile(); hdr_cache_forever(); - send_file("application/x-git-loose-object", name); + send_local_file("application/x-git-loose-object", name); } static void get_pack_file(char *name) { select_getanyfile(); hdr_cache_forever(); - send_file("application/x-git-packed-objects", name); + send_local_file("application/x-git-packed-objects", name); } static void get_idx_file(char *name) { select_getanyfile(); hdr_cache_forever(); - send_file("application/x-git-packed-objects-toc", name); + send_local_file("application/x-git-packed-objects-toc", name); } static int http_config(const char *var, const char *value, void *cb) -- cgit v1.2.3 From 34b6cb8bb032bd16f3d1c93a8417beb75e51ed29 Mon Sep 17 00:00:00 2001 From: "Shawn O. Pearce" Date: Mon, 9 Nov 2009 11:26:43 -0800 Subject: http-backend: Protect GIT_PROJECT_ROOT from /../ requests Eons ago HPA taught git-daemon how to protect itself from /../ attacks, which Junio brought back into service in d79374c7b58d ("daemon.c and path.enter_repo(): revamp path validation"). I did not carry this into git-http-backend as originally we relied only upon PATH_TRANSLATED, and assumed the HTTP server had done its access control checks to validate the resolved path was within a directory permitting access from the remote client. This would usually be sufficient to protect a server from requests for its /etc/passwd file by http://host/smart/../etc/passwd sorts of URLs. However in 917adc036086 Mark Lodato added GIT_PROJECT_ROOT as an additional method of configuring the CGI. When this environment variable is used the web server does not generate the final access path and therefore may blindly pass through "/../etc/passwd" in PATH_INFO under the assumption that "/../" might have special meaning to the invoked CGI. Instead of permitting these sorts of malformed path requests, we now reject them back at the client, with an error message for the server log. This matches git-daemon behavior. Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- cache.h | 1 + daemon.c | 49 +------------------------------------------------ http-backend.c | 6 ++++++ path.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ t/t5560-http-backend.sh | 31 +++++++++++++++++++++++++++++++ 5 files changed, 86 insertions(+), 48 deletions(-) (limited to 'http-backend.c') diff --git a/cache.h b/cache.h index 4e283be24e..ecbd88adba 100644 --- a/cache.h +++ b/cache.h @@ -656,6 +656,7 @@ const char *make_relative_path(const char *abs, const char *base); int normalize_path_copy(char *dst, const char *src); int longest_ancestor_length(const char *path, const char *prefix_list); char *strip_path_suffix(const char *path, const char *suffix); +int daemon_avoid_alias(const char *path); /* Read and unpack a sha1 file into memory, write memory to a sha1 file */ extern int sha1_object_info(const unsigned char *, unsigned long *); diff --git a/daemon.c b/daemon.c index 1b5ada6648..ce4800621c 100644 --- a/daemon.c +++ b/daemon.c @@ -101,53 +101,6 @@ static void NORETURN daemon_die(const char *err, va_list params) exit(1); } -static int avoid_alias(char *p) -{ - int sl, ndot; - - /* - * This resurrects the belts and suspenders paranoia check by HPA - * done in <435560F7.4080006@zytor.com> thread, now enter_repo() - * does not do getcwd() based path canonicalizations. - * - * sl becomes true immediately after seeing '/' and continues to - * be true as long as dots continue after that without intervening - * non-dot character. - */ - if (!p || (*p != '/' && *p != '~')) - return -1; - sl = 1; ndot = 0; - p++; - - while (1) { - char ch = *p++; - if (sl) { - if (ch == '.') - ndot++; - else if (ch == '/') { - if (ndot < 3) - /* reject //, /./ and /../ */ - return -1; - ndot = 0; - } - else if (ch == 0) { - if (0 < ndot && ndot < 3) - /* reject /.$ and /..$ */ - return -1; - return 0; - } - else - sl = ndot = 0; - } - else if (ch == 0) - return 0; - else if (ch == '/') { - sl = 1; - ndot = 0; - } - } -} - static char *path_ok(char *directory) { static char rpath[PATH_MAX]; @@ -157,7 +110,7 @@ static char *path_ok(char *directory) dir = directory; - if (avoid_alias(dir)) { + if (daemon_avoid_alias(dir)) { logerror("'%s': aliased", dir); return NULL; } diff --git a/http-backend.c b/http-backend.c index 646e9108bd..f8ea9d7faa 100644 --- a/http-backend.c +++ b/http-backend.c @@ -559,7 +559,13 @@ static char* getdir(void) if (root && *root) { if (!pathinfo || !*pathinfo) die("GIT_PROJECT_ROOT is set but PATH_INFO is not"); + if (daemon_avoid_alias(pathinfo)) + die("'%s': aliased", pathinfo); strbuf_addstr(&buf, root); + if (buf.buf[buf.len - 1] != '/') + strbuf_addch(&buf, '/'); + if (pathinfo[0] == '/') + pathinfo++; strbuf_addstr(&buf, pathinfo); return strbuf_detach(&buf, NULL); } else if (path && *path) { diff --git a/path.c b/path.c index 047fdb0a1f..c7679be5c8 100644 --- a/path.c +++ b/path.c @@ -564,3 +564,50 @@ char *strip_path_suffix(const char *path, const char *suffix) return NULL; return xstrndup(path, chomp_trailing_dir_sep(path, path_len)); } + +int daemon_avoid_alias(const char *p) +{ + int sl, ndot; + + /* + * This resurrects the belts and suspenders paranoia check by HPA + * done in <435560F7.4080006@zytor.com> thread, now enter_repo() + * does not do getcwd() based path canonicalizations. + * + * sl becomes true immediately after seeing '/' and continues to + * be true as long as dots continue after that without intervening + * non-dot character. + */ + if (!p || (*p != '/' && *p != '~')) + return -1; + sl = 1; ndot = 0; + p++; + + while (1) { + char ch = *p++; + if (sl) { + if (ch == '.') + ndot++; + else if (ch == '/') { + if (ndot < 3) + /* reject //, /./ and /../ */ + return -1; + ndot = 0; + } + else if (ch == 0) { + if (0 < ndot && ndot < 3) + /* reject /.$ and /..$ */ + return -1; + return 0; + } + else + sl = ndot = 0; + } + else if (ch == 0) + return 0; + else if (ch == '/') { + sl = 1; + ndot = 0; + } + } +} diff --git a/t/t5560-http-backend.sh b/t/t5560-http-backend.sh index 908ba079d2..ed034bc980 100755 --- a/t/t5560-http-backend.sh +++ b/t/t5560-http-backend.sh @@ -146,6 +146,37 @@ test_expect_success 'http.receivepack false' ' POST git-receive-pack 0000 "403 Forbidden" ' +run_backend() { + REQUEST_METHOD=GET \ + GIT_PROJECT_ROOT="$HTTPD_DOCUMENT_ROOT_PATH" \ + PATH_INFO="$2" \ + git http-backend >act.out 2>act.err +} + +path_info() { + if test $1 = 0; then + run_backend "$2" + else + test_must_fail run_backend "$2" && + echo "fatal: '$2': aliased" >exp.err && + test_cmp exp.err act.err + fi +} + +test_expect_success 'http-backend blocks bad PATH_INFO' ' + config http.getanyfile true && + + run_backend 0 /repo.git/HEAD && + + run_backend 1 /repo.git/../HEAD && + run_backend 1 /../etc/passwd && + run_backend 1 ../etc/passwd && + run_backend 1 /etc//passwd && + run_backend 1 /etc/./passwd && + run_backend 1 /etc/.../passwd && + run_backend 1 //domain/data.txt +' + cat >exp < Date: Wed, 11 Nov 2009 20:42:41 -0800 Subject: http-backend: Fix bad treatment of uintmax_t in Content-Length Our Content-Length needs to report an off_t, which could be larger precision than size_t on this system (e.g. 32 bit binary built with 64 bit large file support). We also shouldn't be passing a size_t parameter to printf when we've used PRIuMAX as the format specifier. Fix both issues by using uintmax_t for the hdr_int() routine, allowing strbuf's size_t to automatically upcast, and off_t to always fit. Also fixed the copy loop we use inside of send_local_file(), we never actually updated the size variable so we might as well not use it. Reported-by: Tarmigan Signed-off-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- http-backend.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'http-backend.c') diff --git a/http-backend.c b/http-backend.c index f8ea9d7faa..7f48406d6d 100644 --- a/http-backend.c +++ b/http-backend.c @@ -134,7 +134,7 @@ static void hdr_str(const char *name, const char *value) format_write(1, "%s: %s\r\n", name, value); } -static void hdr_int(const char *name, size_t value) +static void hdr_int(const char *name, uintmax_t value) { format_write(1, "%s: %" PRIuMAX "\r\n", name, value); } @@ -216,7 +216,6 @@ static void send_local_file(const char *the_type, const char *name) char *buf = xmalloc(buf_alloc); int fd; struct stat sb; - size_t size; fd = open(p, O_RDONLY); if (fd < 0) @@ -224,14 +223,12 @@ static void send_local_file(const char *the_type, const char *name) if (fstat(fd, &sb) < 0) die_errno("Cannot stat '%s'", p); - size = xsize_t(sb.st_size); - - hdr_int(content_length, size); + hdr_int(content_length, sb.st_size); hdr_str(content_type, the_type); hdr_date(last_modified, sb.st_mtime); end_headers(); - while (size) { + for (;;) { ssize_t n = xread(fd, buf, buf_alloc); if (n < 0) die_errno("Cannot read '%s'", p); -- cgit v1.2.3 From 48aec1b1f14578ac7560c8be40890ebf52c91d78 Mon Sep 17 00:00:00 2001 From: Tarmigan Casebolt Date: Sat, 14 Nov 2009 13:10:57 -0800 Subject: http-backend: Fix access beyond end of string. Found with valgrind while looking for Content-Length corruption in smart http. Signed-off-by: Tarmigan Casebolt Signed-off-by: Junio C Hamano --- http-backend.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'http-backend.c') diff --git a/http-backend.c b/http-backend.c index 7f48406d6d..8e08f057dd 100644 --- a/http-backend.c +++ b/http-backend.c @@ -615,7 +615,7 @@ int main(int argc, char **argv) if (regcomp(&re, c->pattern, REG_EXTENDED)) die("Bogus regex in service table: %s", c->pattern); if (!regexec(&re, dir, 1, out, 0)) { - size_t n = out[0].rm_eo - out[0].rm_so; + size_t n; if (strcmp(method, c->method)) { const char *proto = getenv("SERVER_PROTOCOL"); @@ -629,9 +629,10 @@ int main(int argc, char **argv) } cmd = c; + n = out[0].rm_eo - out[0].rm_so; cmd_arg = xmalloc(n); - strncpy(cmd_arg, dir + out[0].rm_so + 1, n); - cmd_arg[n] = '\0'; + memcpy(cmd_arg, dir + out[0].rm_so + 1, n-1); + cmd_arg[n-1] = '\0'; dir[out[0].rm_so] = 0; break; } -- cgit v1.2.3 From 354870171bc98dfef7dfa037b3fe9ac9454c94a2 Mon Sep 17 00:00:00 2001 From: Tarmigan Casebolt Date: Sat, 14 Nov 2009 13:10:58 -0800 Subject: http-backend: Let gcc check the format of more printf-type functions. We already have these checks in many printf-type functions that have prototypes which are in header files. Add these same checks to static functions in http-backend.c Signed-off-by: Tarmigan Casebolt Acked-by: Shawn O. Pearce Signed-off-by: Junio C Hamano --- http-backend.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'http-backend.c') diff --git a/http-backend.c b/http-backend.c index 8e08f057dd..f729488fc5 100644 --- a/http-backend.c +++ b/http-backend.c @@ -108,6 +108,7 @@ static const char *get_parameter(const char *name) return i ? i->util : NULL; } +__attribute__((format (printf, 2, 3))) static void format_write(int fd, const char *fmt, ...) { static char buffer[1024]; @@ -165,6 +166,7 @@ static void end_headers(void) safe_write(1, "\r\n", 2); } +__attribute__((format (printf, 1, 2))) static NORETURN void not_found(const char *err, ...) { va_list params; @@ -180,6 +182,7 @@ static NORETURN void not_found(const char *err, ...) exit(0); } +__attribute__((format (printf, 1, 2))) static NORETURN void forbidden(const char *err, ...) { va_list params; -- cgit v1.2.3