From: Robin Rosenberg <robin.rosenberg.lists@dewire.com>
To: "Shawn O. Pearce" <spearce@spearce.org>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] Permit a wider range of repository names in jgit daemon requests
Date: Tue, 6 Jan 2009 00:07:43 +0100 [thread overview]
Message-ID: <200901060007.43909.robin.rosenberg.lists@dewire.com> (raw)
In-Reply-To: <20090105024622.GC20973@spearce.org>
måndag 05 januari 2009 03:46:22 skrev Shawn O. Pearce:
> The earlier restriction was too narrow for some applications, for
> example repositories named "jgit.dev" and "jgit.test" are perfectly
> valid Git repositories and should still be able to be served by
> the daemon.
>
> By blocking out only uses of ".." as a path component and Windows
> UNC paths (by blocking "\") we can reasonably prevent the client
> from escaping the base dirctories configured in the daemon.
>
> + if (name.startsWith("../") || name.contains("/../")
> + || name.contains("\\"))
//host/share also works as UNC path (even the DOS commands support it, provided
you quote the paths) and if you block // shuldn't '/', and '[A-Z]:' also be blocked?
\\ is a UNC-prefix only at the beginning of a path so if / need not be filtered, nor
does //. Inside a path \\ is the same as \ AFAIK (except directly after the drive letter.
This should probablybe factored out into a utilty so we can have a simple unit test for it.
-- robin
prev parent reply other threads:[~2009-01-05 23:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-23 0:27 [JGIT PATCH 00/13] Add receive-pack server side support Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 01/13] Fix invalid "double checked locking" in InflaterCache Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 02/13] Cleanup stupid release of the cached Inflater in IndexPack Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 03/13] Cache an Inflater inside a WindowCursor and reuse it as much as possible Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 04/13] Make RefDatabase thread-safe Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 05/13] Make PackFile thread-safe Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 06/13] Make Repository thread-safe Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 07/13] Don't open a PackFile multiple times on scanForPacks Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 08/13] Expose RepositoryConfig.getBoolean so applications can use it Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 09/13] Add AnyObjectId.copyTo(StringBuilder) Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 10/13] Add compare-and-swap semantics to RefUpdate Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 11/13] Allow null new ObjectId during RefUpdate.delete Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 12/13] Implement the git-receive-pack process in Java Shawn O. Pearce
2008-12-23 0:27 ` [JGIT PATCH 13/13] Add basic git daemon support to publish receive-pack Shawn O. Pearce
2009-01-03 23:48 ` Robin Rosenberg
2009-01-05 2:46 ` [PATCH] Permit a wider range of repository names in jgit daemon requests Shawn O. Pearce
2009-01-05 23:07 ` Robin Rosenberg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200901060007.43909.robin.rosenberg.lists@dewire.com \
--to=robin.rosenberg.lists@dewire.com \
--cc=git@vger.kernel.org \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.