Skip to content

Commit

Permalink
push --signed: tighten what the receiving end can ask to sign
Browse files Browse the repository at this point in the history
Instead of blindly trusting the receiving side to give us a sensible
nonce to sign, limit the length (max 256 bytes) and the alphabet
(alnum and a few selected punctuations, enough to encode in base64)
that can be used in nonce.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
Junio C Hamano committed Apr 2, 2015
1 parent 45917f0 commit afcb6ee
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions send-pack.c
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,28 @@ static int generate_push_cert(struct strbuf *req_buf,
return update_seen;
}

#define NONCE_LEN_LIMIT 256

static void reject_invalid_nonce(const char *nonce, int len)
{
int i = 0;

if (NONCE_LEN_LIMIT <= len)
die("the receiving end asked to sign an invalid nonce <%.*s>",
len, nonce);

for (i = 0; i < len; i++) {
int ch = nonce[i] & 0xFF;
if (isalnum(ch) ||
ch == '-' || ch == '.' ||
ch == '/' || ch == '+' ||
ch == '=' || ch == '_')
continue;
die("the receiving end asked to sign an invalid nonce <%.*s>",
len, nonce);
}
}

int send_pack(struct send_pack_args *args,
int fd[], struct child_process *conn,
struct ref *remote_refs,
Expand Down Expand Up @@ -321,6 +343,7 @@ int send_pack(struct send_pack_args *args,
push_cert_nonce = server_feature_value("push-cert", &len);
if (!push_cert_nonce)
die(_("the receiving end does not support --signed push"));
reject_invalid_nonce(push_cert_nonce, len);
push_cert_nonce = xmemdupz(push_cert_nonce, len);
}

Expand Down

0 comments on commit afcb6ee

Please sign in to comment.