[PATCH] git-shell: Add 'git-upload-archive' to allowed commands.

[PATCH] git-shell: Add 'git-upload-archive' to allowed commands.

[Erik Broes]

This allows for example gitosis to allow use of 'git archive --remote' in a
controlled environment.

Signed-off-by: Erik Broes <erikbroes@ripe.net>
---

There were some questions on IRC raising (valid) concerns about security.
If there is a dangling commit on the remote end and any user would know
or guess the SHA, it could be retrieved where git-upload-pack will not
allow so.

We were unable to find out if this was the original reason git-shell was
never extended with git-upload-archive functionality or if it was a simple
oversight. If it was the reason I'm not sure there is an easy way out.

 Documentation/git-shell.txt |    6 +++---
 shell.c                     |    1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Documentation/git-shell.txt b/Documentation/git-shell.txt
index 3f8d973..0f3ad81 100644
--- a/Documentation/git-shell.txt
+++ b/Documentation/git-shell.txt
@@ -18,9 +18,9 @@ of server-side GIT commands implementing the pull/push functionality.
 The commands can be executed only by the '-c' option; the shell is not
 interactive.

-Currently, only three commands are permitted to be called, 'git-receive-pack'
-'git-upload-pack' with a single required argument or 'cvs server' (to invoke
-'git-cvsserver').
+Currently, only four commands are permitted to be called, 'git-receive-pack'
+'git-upload-pack' and 'git-upload-archive' with a single required argument, or
+'cvs server' (to invoke 'git-cvsserver').

 Author
 ------
diff --git a/shell.c b/shell.c
index e339369..b968be7 100644
--- a/shell.c
+++ b/shell.c
@@ -40,6 +40,7 @@ static struct commands {
 } cmd_list[] = {
 	{ "git-receive-pack", do_generic_cmd },
 	{ "git-upload-pack", do_generic_cmd },
+	{ "git-upload-archive", do_generic_cmd },
 	{ "cvs", do_cvs_cmd },
 	{ NULL },
 };
-- 
1.6.2.1.519.gcf01bc

Re: [PATCH] git-shell: Add 'git-upload-archive' to allowed commands.

[Junio C Hamano]

Erik Broes <erikbroes@ripe.net> writes:

> This allows for example gitosis to allow use of 'git archive --remote' in a
> controlled environment.
>
> Signed-off-by: Erik Broes <erikbroes@ripe.net>
> ---
>
> There were some questions on IRC raising (valid) concerns about security.
> If there is a dangling commit on the remote end and any user would know
> or guess the SHA, it could be retrieved where git-upload-pack will not
> allow so.
>
> We were unable to find out if this was the original reason git-shell was
> never extended with git-upload-archive functionality or if it was a simple
> oversight. If it was the reason I'm not sure there is an easy way out.

Can't the "security concern" be addressed by whatever creates the
controlled environment (e.g. gitosis)?  For example, git-daemon can be
configured to service upload-archive request, so I do not think it is such
a bad idea to make this available if the site owner wants to use it.

Re: [PATCH] git-shell: Add 'git-upload-archive' to allowed commands.

[Erik Broes]

> Can't the "security concern" be addressed by whatever creates the
> controlled environment (e.g. gitosis)?  For example, git-daemon can be
> configured to service upload-archive request, so I do not think it is such
> a bad idea to make this available if the site owner wants to use it.

I completely agree. :)

-- 
Erik Broes
Database Group
RIPE NCC

Re: [PATCH] git-shell: Add 'git-upload-archive' to allowed commands.

[Björn Steinbrink]

On 2009.04.11 12:22:54 -0700, Junio C Hamano wrote:
> Erik Broes <erikbroes@ripe.net> writes:
> 
> > This allows for example gitosis to allow use of 'git archive --remote' in a
> > controlled environment.
> >
> > Signed-off-by: Erik Broes <erikbroes@ripe.net>
> > ---
> >
> > There were some questions on IRC raising (valid) concerns about security.
> > If there is a dangling commit on the remote end and any user would know
> > or guess the SHA, it could be retrieved where git-upload-pack will not
> > allow so.
> >
> > We were unable to find out if this was the original reason git-shell was
> > never extended with git-upload-archive functionality or if it was a simple
> > oversight. If it was the reason I'm not sure there is an easy way out.
> 
> Can't the "security concern" be addressed by whatever creates the
> controlled environment (e.g. gitosis)?  For example, git-daemon can be
> configured to service upload-archive request, so I do not think it is such
> a bad idea to make this available if the site owner wants to use it.

But what about users that just have their shell set to git-shell? IIRC
around 1.6.0 we had some reports about broken setups because git-shell
had been moved to libexec. So apparently there are such setups, and the
change would weaken the restrictions for them.

Hm?
Björn