From afcb6ee30acf17f4e0338c49fbab301131abfbba Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 1 Apr 2015 18:00:36 -0700 Subject: [PATCH] push --signed: tighten what the receiving end can ask to sign Instead of blindly trusting the receiving side to give us a sensible nonce to sign, limit the length (max 256 bytes) and the alphabet (alnum and a few selected punctuations, enough to encode in base64) that can be used in nonce. Signed-off-by: Junio C Hamano --- send-pack.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/send-pack.c b/send-pack.c index 7ad1a5968b..2249808027 100644 --- a/send-pack.c +++ b/send-pack.c @@ -279,6 +279,28 @@ free_return: return update_seen; } +#define NONCE_LEN_LIMIT 256 + +static void reject_invalid_nonce(const char *nonce, int len) +{ + int i = 0; + + if (NONCE_LEN_LIMIT <= len) + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + + for (i = 0; i < len; i++) { + int ch = nonce[i] & 0xFF; + if (isalnum(ch) || + ch == '-' || ch == '.' || + ch == '/' || ch == '+' || + ch == '=' || ch == '_') + continue; + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + } +} + int send_pack(struct send_pack_args *args, int fd[], struct child_process *conn, struct ref *remote_refs, @@ -321,6 +343,7 @@ int send_pack(struct send_pack_args *args, push_cert_nonce = server_feature_value("push-cert", &len); if (!push_cert_nonce) die(_("the receiving end does not support --signed push")); + reject_invalid_nonce(push_cert_nonce, len); push_cert_nonce = xmemdupz(push_cert_nonce, len); }