summaryrefslogtreecommitdiff
path: root/fsck.c
diff options
context:
space:
mode:
authorJonathan Nieder <jrnieder@gmail.com>2020-04-18 20:57:22 -0700
committerJonathan Nieder <jrnieder@gmail.com>2020-04-19 16:10:58 -0700
commit1a3609e402a062ef7b11f197fe96c28cabca132c (patch)
tree469c92e12e61fa6dba844a1b3943909c7dd7e3b7 /fsck.c
parente7fab62b736cca3416660636e46f0be8386a5030 (diff)
downloadgit-1a3609e402a062ef7b11f197fe96c28cabca132c.tar.gz
fsck: reject URL with empty host in .gitmodules
Git's URL parser interprets https:///example.com/repo.git to have no host and a path of "example.com/repo.git". Curl, on the other hand, internally redirects it to https://example.com/repo.git. As a result, until "credential: parse URL without host as empty host, not unset", tricking a user into fetching from such a URL would cause Git to send credentials for another host to example.com. Teach fsck to block and detect .gitmodules files using such a URL to prevent sharing them with Git versions that are not yet protected. A relative URL in a .gitmodules file could also be used to trigger this. The relative URL resolver used for .gitmodules does not normalize sequences of slashes and can follow ".." components out of the path part and to the host part of a URL, meaning that such a relative URL can be used to traverse from a https://foo.example.com/innocent superproject to a https:///attacker.example.com/exploit submodule. Fortunately, redundant extra slashes in .gitmodules are rare, so we can catch this by detecting one after a leading sequence of "./" and "../" components. Helped-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Reviewed-by: Jeff King <peff@peff.net>
Diffstat (limited to 'fsck.c')
-rw-r--r--fsck.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/fsck.c b/fsck.c
index 41af5c0d5f..31b5be05f5 100644
--- a/fsck.c
+++ b/fsck.c
@@ -1064,17 +1064,21 @@ static int check_submodule_url(const char *url)
/*
* URLs which escape their root via "../" can overwrite
* the host field and previous components, resolving to
- * URLs like https::example.com/submodule.git that were
+ * URLs like https::example.com/submodule.git and
+ * https:///example.com/submodule.git that were
* susceptible to CVE-2020-11008.
*/
if (count_leading_dotdots(url, &next) > 0 &&
- *next == ':')
+ (*next == ':' || *next == '/'))
return -1;
}
else if (url_to_curl_url(url, &curl_url)) {
struct credential c = CREDENTIAL_INIT;
- int ret = credential_from_url_gently(&c, curl_url, 1);
+ int ret = 0;
+ if (credential_from_url_gently(&c, curl_url, 1) ||
+ !*c.host)
+ ret = -1;
credential_clear(&c);
return ret;
}