[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Cvs-cvs] ccvs/src ChangeLog main.c root.c root.h sanity.sh
From: |
Derek Robert Price |
Subject: |
[Cvs-cvs] ccvs/src ChangeLog main.c root.c root.h sanity.sh |
Date: |
Wed, 09 May 2007 23:54:34 +0000 |
CVSROOT: /cvsroot/cvs
Module name: ccvs
Changes by: Derek Robert Price <dprice> 07/05/09 23:54:33
Modified files:
src : ChangeLog main.c root.c root.h sanity.sh
Log message:
* main.c (main): Use new root_allow_regexp_add function, declare
new --allow-root-regexp option parameter.
* root.c: Added new functions root_allow_regexp_add and
root_allow_compare_regexp, new variables
root_allow_regexp. Modified root_allow_ok, root_allow_used and
root_allow_free. The code adds the matched repository path to
root_allow as if specified using --allow-root. --allow-root is not
mandatory anymore if --allow-root-regexp is used instead.
(Original 2001/2004 patches from Roland Mas <address@hidden>.)
* sanity.sh: Added test cases as pserver-3b and pserver-3c,
updated pserver-3.
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/ChangeLog?cvsroot=cvs&r1=1.3508&r2=1.3509
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/main.c?cvsroot=cvs&r1=1.268&r2=1.269
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/root.c?cvsroot=cvs&r1=1.125&r2=1.126
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/root.h?cvsroot=cvs&r1=1.24&r2=1.25
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/sanity.sh?cvsroot=cvs&r1=1.1175&r2=1.1176
Patches:
Index: ChangeLog
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/ChangeLog,v
retrieving revision 1.3508
retrieving revision 1.3509
diff -u -b -r1.3508 -r1.3509
--- ChangeLog 8 May 2007 12:35:53 -0000 1.3508
+++ ChangeLog 9 May 2007 23:54:33 -0000 1.3509
@@ -1,3 +1,19 @@
+2007-05-09 Derek Price <address@hidden>
+ for Sylvain Beucler <address@hidden>
+
+ * main.c (main): Use new root_allow_regexp_add function, declare
+ new --allow-root-regexp option parameter.
+ * root.c: Added new functions root_allow_regexp_add and
+ root_allow_compare_regexp, new variables
+ root_allow_regexp. Modified root_allow_ok, root_allow_used and
+ root_allow_free. The code adds the matched repository path to
+ root_allow as if specified using --allow-root. --allow-root is not
+ mandatory anymore if --allow-root-regexp is used instead.
+ (Original 2001/2004 patches from Roland Mas <address@hidden>.)
+
+ * sanity.sh: Added test cases as pserver-3b and pserver-3c,
+ updated pserver-3.
+
2007-05-07 Derek Price <address@hidden>
* mkmodules.c (init): Assert that the server is not active.
Index: main.c
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/main.c,v
retrieving revision 1.268
retrieving revision 1.269
diff -u -b -r1.268 -r1.269
--- main.c 17 May 2006 15:24:30 -0000 1.268
+++ main.c 9 May 2007 23:54:33 -0000 1.269
@@ -576,6 +576,7 @@
{"verify-arg", required_argument, NULL, 12},
#ifdef SERVER_SUPPORT
{"allow-root", required_argument, NULL, 3},
+ {"allow-root-regexp", required_argument, NULL, 14},
{"timeout", required_argument, NULL, 13},
#endif /* SERVER_SUPPORT */
{0, 0, 0, 0}
@@ -823,6 +824,10 @@
/* --allow-root */
root_allow_add (optarg, gConfigPath);
break;
+ case 14:
+ /* --allow-root-regexp */
+ root_allow_regexp_add (optarg, gConfigPath);
+ break;
case 13:
/* --timeout */
connection_timeout = strtol (optarg, &end, 10);
Index: root.c
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/root.c,v
retrieving revision 1.125
retrieving revision 1.126
diff -u -b -r1.125 -r1.126
--- root.c 24 Apr 2006 18:50:27 -0000 1.125
+++ root.c 9 May 2007 23:54:33 -0000 1.126
@@ -285,6 +285,7 @@
directories. Then we can check against them when a remote user
hands us a CVSROOT directory. */
static List *root_allow;
+static List *root_allow_regexp;
static void
delconfig (Node *n)
@@ -308,21 +309,65 @@
}
void
+root_allow_regexp_add (const char *arg, const char *configPath)
+{
+ Node *n;
+
+ if (!root_allow_regexp) root_allow_regexp = getlist();
+ n = getnode();
+ n->key = xstrdup (arg);
+
+ /* This is a regexp, not the final cvsroot path - we cannot attach
+ it a config. So we attach configPath and we'll root_allow_add()
+ the actual, matching root in root_allow_compare_regexp() */
+ n->data = (void*)configPath;
+
+ addnode (root_allow_regexp, n);
+}
+
+void
root_allow_free (void)
{
dellist (&root_allow);
+ dellist (&root_allow_regexp);
}
bool
root_allow_used (void)
{
- return root_allow != NULL;
+ return root_allow || root_allow_regexp;
+}
+
+/* walklist() callback for determining if 'root_to_check' matches
+ n->key (a regexp). If yes, 'root_to_check' will be added as if
+ directly specified through --allow-root.
+ */
+static int
+root_allow_compare_regexp (Node *n, void *root_to_check)
+{
+ int status;
+ regex_t re;
+
+ if (regcomp(&re, n->key,
+ REG_EXTENDED|REG_NOSUB) != 0)
+ {
+ return 0; /* report error? */
+ }
+ status = regexec(&re, root_to_check, (size_t) 0, NULL, 0);
+ regfree(&re);
+ if (status == 0)
+ {
+ /* n->data contains gConfigPath */
+ root_allow_add (root_to_check, n->data);
+ return 1;
+ }
+ return 0;
}
bool
root_allow_ok (const char *arg)
{
- if (!root_allow)
+ if (!root_allow_used())
{
/* Probably someone upgraded from CVS before 1.9.10 to 1.9.10
or later without reading the documentation about
@@ -334,12 +379,18 @@
back "error" rather than waiting for the next request which
expects responses. */
printf ("\
-error 0 Server configuration missing --allow-root in inetd.conf\n");
+error 0 Server configuration missing --allow-root or --allow-root-regexp in
inetd.conf\n");
exit (EXIT_FAILURE);
}
+ /* Look for 'arg' in the list of full-path allowed roots */
if (findnode (root_allow, arg))
return true;
+
+ /* Match 'arg' against the list of allowed roots regexps */
+ if (walklist (root_allow_regexp, root_allow_compare_regexp, (void*)arg))
+ return true;
+
return false;
}
Index: root.h
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/root.h,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -b -r1.24 -r1.25
--- root.h 24 Apr 2006 18:50:27 -0000 1.24
+++ root.h 9 May 2007 23:54:33 -0000 1.25
@@ -89,6 +89,7 @@
__attribute__ ((__malloc__));
void Create_Root (const char *dir, const char *rootdir);
void root_allow_add (const char *, const char *configPath);
+void root_allow_regexp_add (const char *, const char *configPath);
void root_allow_free (void);
bool root_allow_used (void);
bool root_allow_ok (const char *);
Index: sanity.sh
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/sanity.sh,v
retrieving revision 1.1175
retrieving revision 1.1176
diff -u -b -r1.1175 -r1.1176
--- sanity.sh 8 May 2007 12:35:53 -0000 1.1175
+++ sanity.sh 9 May 2007 23:54:33 -0000 1.1176
@@ -31622,7 +31622,7 @@
willfail: :whocares
EOF
dotest_fail pserver-3 "$servercvs pserver" \
-"error 0 Server configuration missing --allow-root in inetd.conf" <<EOF
+"error 0 Server configuration missing --allow-root or --allow-root-regexp in
inetd.conf" <<EOF
BEGIN AUTH REQUEST
$CVSROOT_DIRNAME
testme
@@ -31640,6 +31640,27 @@
END AUTH REQUEST
EOF
+ regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
+ dotest pserver-3b "${testcvs} --allow-root-regexp=$regexp pserver" \
+"I LOVE YOU" <<EOF
+BEGIN AUTH REQUEST
+${CVSROOT_DIRNAME}
+testme
+Ay::'d
+END AUTH REQUEST
+EOF
+
+ regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
+ dotest_fail pserver-3c "${testcvs} --allow-root-regexp=$regexp
pserver" \
+"$CPROG pserver: ${CVSROOT_DIRNAME}/subdir: no such repository
+I HATE YOU" <<EOF
+BEGIN AUTH REQUEST
+${CVSROOT_DIRNAME}/subdir
+testme
+Ay::'d
+END AUTH REQUEST
+EOF
+
# Confirm that not sending a newline during auth cannot constitute
# a denial-of-service attack. This assumes that PATH_MAX is less
# than 65536 bytes. If PATH_MAX is larger than 65535 bytes, this
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Cvs-cvs] ccvs/src ChangeLog main.c root.c root.h sanity.sh,
Derek Robert Price <=