Commit Graph

61 Commits

Author SHA1 Message Date
Christian Hesse
bfabd4519c git: update to v2.24.0
Update to git version v2.24.0.

Never use get_cached_commit_buffer() directly, use repo_get_commit_buffer()
instead. The latter calls the former anyway. This fixes segmentation fault
when commit-graph is enabled and get_cached_commit_buffer() does not return
the expected result.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-11-08 22:55:58 +01:00
Christian Hesse
2c9f56f3e1 git: update to v2.19.1
Update to git version v2.19.1. Required changes follow upstream commits:

* commit: add repository argument to get_cached_commit_buffer
  (3ce85f7e5a41116145179f0fae2ce6d86558d099)

* commit: add repository argument to lookup_commit_reference
  (2122f6754c93be8f02bfb5704ed96c88fc9837a8)

* object: add repository argument to parse_object
  (109cd76dd3467bd05f8d2145b857006649741d5c)

* tag: add repository argument to deref_tag
  (a74093da5ed601a09fa158e5ba6f6f14c1142a3e)

* tag: add repository argument to lookup_tag
  (ce71efb713f97f476a2d2ab541a0c73f684a5db3)

* tree: add repository argument to lookup_tree
  (f86bcc7b2ce6cad68ba1a48a528e380c6126705e)

* archive.c: avoid access to the_index
  (b612ee202a48f129f81f8f6a5af6cf71d1a9caef)

* for_each_*_object: move declarations to object-store.h
  (0889aae1cd18c1804ba01c1a4229e516dfb9fe9b)

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-10-12 23:06:02 +02:00
Christian Hesse
60a930044d parsing: ban sprintf()
Git upstream bans sprintf() with commit:

  banned.h: mark sprintf() as banned
  cc8fdaee1eeaf05d8dd55ff11f111b815f673c58

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
7cde5885d8 parsing: ban strncpy()
Git upstream bans strncpy() with commit:

  banned.h: mark strncpy() as banned
  e488b7aba743d23b830d239dcc33d9ca0745a9ad

Signed-off-by: Christian Hesse <mail@eworm.de>
2018-09-11 08:47:12 +02:00
Christian Hesse
255b78ff52 git: update to v2.18.0
Update to git version v2.18.0. Required changes follow upstream commits:

* Convert find_unique_abbrev* to struct object_id
  (aab9583f7b5ea5463eb3f653a0b4ecac7539dc94)
* sha1_file: convert read_sha1_file to struct object_id
  (b4f5aca40e6f77cbabcbf4ff003c3cf30a1830c8)
* sha1_file: convert sha1_object_info* to object_id
  (abef9020e3df87c441c9a3a95f592fce5fa49bb9)
* object-store: move packed_git and packed_git_mru to object store
  (a80d72db2a73174b3f22142eb2014b33696fd795)
* treewide: rename tree to maybe_tree
  (891435d55da80ca3654b19834481205be6bdfe33)

The changed data types required some of our own functions to be converted
to struct object_id:

  ls_item
  print_dir
  print_dir_entry
  print_object
  single_tree_cb
  walk_tree
  write_tree_link

And finally we use new upstream functions that were added for
struct object_id:

  hashcpy     -> oidcpy
  sha1_to_hex -> oid_to_hex

Signed-off-by: Christian Hesse <mail@eworm.de>
Reviewed-by: John Keeping <john@keeping.me.uk>
2018-06-27 18:13:03 +02:00
John Keeping
9d751e7eec parsing: don't clear existing state with empty input
Since commit c699866 (parsing: clear query path before starting,
2017-02-19), we clear the "page" variable simply by calling
cgit_parse_url() even if the URL is empty.  This breaks a URL like:

	.../cgit?p=about

which is generated when using the "root-readme" configuration option.

This happens because "page" is set to "about" when parsing the query
string before we handle the path (which is empty, but non-null).

It turns out that this is not the only case which is broken, but
specifying repository and page via query options has been broken since
before the commit mentioned above, for example:

	.../cgit?r=git&p=log

Fix both of these by allowing the previous state to persist if PATH_INFO
is empty, falling back to the query parameters if no path has been
requested.

Reported-by: Tom Ryder <tom@sanctum.geek.nz>
Signed-off-by: John Keeping <john@keeping.me.uk>
2017-10-14 14:31:18 +02:00
John Keeping
c699866699 parsing: clear query path before starting
By specifying the "url" query parameter multiple times it is possible to
end up with ctx.qry.vpath set while ctx.repo is null, which triggers an
invalid code path from cgit_print_pageheader() while printing path
crumbs, resulting in a null dereference.

The previous patch fixed this segfault, but it makes no sense for us to
clear ctx.repo while leaving ctx.qry.path set to the previous value, so
let's just clear it here so that the last "url" parameter given takes
full effect rather than partially overriding the effect of the previous
value.

Signed-off-by: John Keeping <john@keeping.me.uk>
2017-08-10 16:05:07 +02:00
John Keeping
45c87ca1c3 parsing: add timezone to ident structures
This will allow us to mimic Git's behaviour of showing times in the
originator's timezone when displaying commits and tags.

Signed-off-by: John Keeping <john@keeping.me.uk>
2016-02-08 14:20:08 +01:00
Christian Hesse
559ab5ecc4 git: update to v2.7.0
Update to git version v2.7.0.

* Upstream commit ed1c9977cb1b63e4270ad8bdf967a2d02580aa08 (Remove
  get_object_hash.) changed API:

  Convert all instances of get_object_hash to use an appropriate
  reference to the hash member of the oid member of struct object.
  This provides no functional change, as it is essentially a macro
  substitution.

Signed-off-by: Christian Hesse <mail@eworm.de>
2016-01-13 17:12:17 +01:00
Lukas Fleischer
3cb8e76278 Drop return value from parse_user()
In commit 936295c (Simplify commit and tag parsing, 2015-03-03), the
commit and tag parsing code was refactored. This broke tag messages in
ui-tag since the line after the tagger header was erroneously skipped.
Rework parse_user() and skip the line manually outside parse_user().

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2015-03-05 15:54:47 +01:00
Lukas Fleischer
4d8ed337cb Remove leading newline characters from tag messages
Fixes a regression introduced in commit 936295c (Simplify commit and tag
parsing, 2015-03-03).

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2015-03-05 15:54:34 +01:00
Lukas Fleischer
936295c4e4 Simplify commit and tag parsing
* Use skip_prefix to avoid magic numbers in the code.
* Use xcalloc() instead of xmalloc(), followed by manual initialization.
* Split out line splitting.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2015-03-03 16:47:30 +01:00
Lukas Fleischer
6f9e8a9659 Use split_ident_line() in parse_user()
Use Git's built-in ident line splitting algorithm instead of
reimplementing it. This does not only simplify the code but also makes
sure that cgit is consistent with Git when it comes to author parsing.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-12-24 01:38:28 -07:00
John Keeping
865afe0eb1 git: update to v2.0.3
This is slightly more involved than just bumping the version number
because it pulls in a change to convert the commit buffer to a slab,
removing the "buffer" field from "struct commit".  All sites that access
"commit->buffer" have been changed to use the new functions provided for
this purpose.

Signed-off-by: John Keeping <john@keeping.me.uk>
2014-07-28 02:01:35 +02:00
John Keeping
93d8ef8f1d parsing.c: make commit buffer const
This will be required in order to incorporate the changes to commit
buffer handling in Git 2.0.2.

Signed-off-by: John Keeping <john@keeping.me.uk>
2014-07-28 02:01:23 +02:00
Christian Hesse
79c985e13c git: update for git 2.0
prefixcmp() and suffixcmp() have been remove, functionality is now
provided by starts_with() and ends_with(). Retrurn values have been
changed, so instead of just renaming we have to fix logic.
Everything else looks just fine.
2014-06-28 15:14:56 +02:00
Julian Maurice
10451797fa Fix cgit_parse_url when a repo url is contained in another repo url
For example, if I have two repos (remove-suffix is enabled):
  /foo
  /foo/bar

http://cgit/foo/bar/ is interpreted as "repository 'foo', command 'bar'"
instead of "repository 'foo/bar'"
2014-04-05 19:05:36 -03:00
Lukas Fleischer
2a7dd4bf67 parsing.c: Remove leading space from committer
This did not really break anything in the past since spaces are ignored
when rendering HTML. Remove the preceding space anyway to prevent from
potential future problems.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-01-16 00:53:08 +01:00
Jason A. Donenfeld
d01a6eec43 parsing: fix header typo 2014-01-10 17:45:43 +01:00
Lukas Fleischer
36bdb2171f Replace most uses of strncmp() with prefixcmp()
This is a preparation for replacing all prefix checks with either
strip_prefix() or starts_with() when Git 1.8.6 is released.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2014-01-10 17:01:29 +01:00
Lukas Fleischer
f7f26f8875 Update copyright information
* Name "cgit Development Team" as copyright holder to avoid listing
  every single developer.

* Update copyright ranges.

Signed-off-by: Lukas Fleischer <cgit@crytocrack.de>
2014-01-08 15:10:49 +01:00
Lukas Fleischer
bafab423f2 Mark several functions/variables static
Spotted by parsing the output of `gcc -Wmissing-prototypes [...]`.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
2013-03-04 19:50:39 -05:00
Jason A. Donenfeld
bdae1d8a8d White space around control verbs.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2013-03-04 09:12:54 -05:00
Jim Meyering
61d4147ea2 do not write outside heap buffer
* parsing.c (substr): Handle tail < head.

This started when I noticed some cgit segfaults on savannah.gnu.org.
Finding the offending URL/commit and then constructing a stand-alone
reproducer were far more time-consuming than writing the actual patch.

The problem arises with a commit like this, in which the user name
part of the "Author" field is empty:

    $ git log -1
    commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
    Author: <T at h.or>
    Date:   Mon Apr 23 22:29:16 2012 +0200

Here's what happens:

(this is due to buf=malloc(0); strncpy (buf, head, -1);
 where "head" may point to plenty of attacker-specified non-NUL bytes,
 so we can overwrite a zero-length heap buffer with arbitrary data)

 Invalid write of size 1
    at 0x4A09361: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
    by 0x455C85: xmalloc (wrapper.c:35)
    by 0x40894C: substr (parsing.c:60)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)

 Invalid write of size 1
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd

 Invalid write of size 1
    at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd

 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x502F000
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)

This happens when tail - head == -1 here:
(parsing.c)

  char *substr(const char *head, const char *tail)
  {
          char *buf;

          buf = xmalloc(tail - head + 1);
          strncpy(buf, head, tail - head);
          buf[tail - head] = '\0';
          return buf;
  }

  char *parse_user(char *t, char **name, char **email, unsigned long *date)
  {
          char *p = t;
          int mode = 1;

          while (p && *p) {
                  if (mode == 1 && *p == '<') {
                          *name = substr(t, p - 1);
                          t = p;
                          mode++;
                  } else if (mode == 1 && *p == '\n') {

The fix is to handle the case of (tail < head) before calling xmalloc,
thus avoiding passing an invalid value to xmalloc.

And here's the reproducer:
It was tricky to reproduce, because git prohibits use of an empty "name"
in a commit ID.  To construct the offending commit, I had to resort to
using "git hash-object".

git init -q foo &&
( cd foo &&
  echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
  h=$(git cat-file commit HEAD|sed 's/au //' \
    |git hash-object -t commit -w --stdin) &&
  git co -q -b test $h &&
  git br -q -D master &&
  git br -q -m test master)
git clone -q --bare foo foo.git

cat <<EOF > in
repo.url=foo.git
repo.path=foo.git
EOF
CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit

The valgrind output is what you see above.

AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
copy whatever is in "head" (up to first NUL), but it also writes
SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
latter is guaranteed to evoke a segfault.  Since cgit is single-threaded,
AFAICS, there is no way that the buffer clobbering can be turned into
an exploit.
2012-10-02 04:03:47 +02:00
Lukas Fleischer
1e25ac5b8f Remove dead initialization in cgit_parse_commit()
The value stored to "t" during its initialization gets overwritten in
any case, so just leave it uninitialized. Spotted by clang-analyzer.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-07-22 12:21:11 +00:00
Lukas Fleischer
a0bf375a1a Avoid null pointer dereference in reencode().
Returning "*txt" if "txt" is a null pointer is a bad thing. Spotted with
clang-analyzer.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-05-23 22:58:35 +02:00
Julius Plenz
0a799424f6 fix two encoding bugs
reencode() takes three arguments in the order (txt, from, to), opposed to
reencode_string, which will, like iconv, handle the arguments with from
and to swapped. Fix that (this makes reencode more intuitive).
If src and dst encoding are equivalent, don't do any encoding.

If no special encoding parameter is found within the commit, assume
UTF-8 and explicitly convert to PAGE_ENCODING. The change to reencode()
mentioned above avoids re-encoding a UTF-8 string to UTF-8, for example.

Signed-off-by: Julius Plenz <plenz@cis.fu-berlin.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2011-03-26 15:21:07 +01:00
Rémi Lagacé
73ac0fb6f2 Reencode author and committer
When a commit has a specific encoding, this encoding also applies to
the author and committer name and email.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2010-07-13 19:24:55 +02:00
Lars Hjemli
14b4e108a7 parsing.c: enable builds with NO_ICONV defined
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-12-05 19:10:28 +01:00
Lars Hjemli
a8305a9543 parsing.c: be prepared for unexpected content in commit/tag objects
When parsing commits and tags cgit made too many assumptions about the
formatting of said objects. This patch tries to make the code be more
prepared to handle 'malformed' objects.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-09-15 22:33:11 +02:00
Lars Hjemli
e87e896333 Move cgit_parse_query() from parsing.c to html.c as http_parse_querystring()
This is a generic http-function.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-04-08 21:11:36 +02:00
Lars Hjemli
20a33548b9 Move function for configfile parsing into configfile.[ch]
This is a generic function which wanted its own little object file.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-03-28 00:09:11 +01:00
Lars Hjemli
e0e4478e7b Add command dispatcher
This simplifies the code in cgit.c and makes it easier to extend cgit with
new pages/commands.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-03-24 01:43:48 +01:00
Lars Hjemli
d1f3bbe9d2 Move cgit_repo into cgit_context
This removes the global variable which is used to keep track of the
currently selected repository, and adds a new variable in the cgit_context
structure.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-02-16 13:56:09 +01:00
Lars Hjemli
d14d77fe95 Introduce struct cgit_context
This struct will hold all the cgit runtime information currently found in
a multitude of global variables.

The first cleanup removes all querystring-related variables.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2008-02-16 12:07:28 +01:00
Lars Hjemli
dabb34af76 Merge branch 'stable'
* stable:
  Handle missing timestamp in commit/tag objects
  Set commit date on snapshot contents
2007-12-02 22:28:37 +01:00
Lars Hjemli
fc4c4ba3a9 Handle missing timestamp in commit/tag objects
When a commit or tag lacks author/committer/tagger timestamp, do not skip
the next line in the commit/tag object.

Also, do not bother to print timestamps with value 0 as it is close to certain
to be bogus.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-12-02 22:27:07 +01:00
Lars Hjemli
a2ebbd6948 Use utf8::reencode_string from git
This replaces the iconv-support in cgit with similar functions already
existing in git.

Signed-off-by: Lars Hjemli <hjemli@gmai.com>
2007-11-05 18:13:31 -05:00
Jonathan Bastien-Filiatrault
7858a309d7 Convert subject and message with iconv_msg. 2007-11-05 18:13:31 -05:00
Jonathan Bastien-Filiatrault
af08198304 Add iconv_msg function. 2007-11-05 18:13:30 -05:00
Jonathan Bastien-Filiatrault
aa5cc328f4 Set msg_encoding according to the header. 2007-11-05 18:13:30 -05:00
Jonathan Bastien-Filiatrault
3845e177e4 Add commit->msg_encoding, allocate msg dynamicly. 2007-11-05 18:13:30 -05:00
Lars Hjemli
c61360fea0 cgit_parse_commit(): Add missing call to xstrdup()
It's rather silly to point into random memory-locations. Also, remove a
call to strdup() used on a literal char *.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-10-27 13:55:12 +02:00
Lars Hjemli
13d2b0b25c Skip unknown header fields when parsing tags and commits
Both the commit- and tagparser failed to handle unexpected header fields.
This adds futureproofing by simply skipping any header we don't know/care
about.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-10-27 09:05:40 +02:00
Lars Hjemli
382805ee83 Add trim_end() and use it to remove trailing slashes from repo paths
The new function removes all trailing instances of an arbitrary character
from a copy of the supplied char array. This is then used to remove any
trailing slashes from cgit_query_path.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-06-26 18:04:39 +02:00
Ondrej Jirman
6130231ed5 Check for NULL commit buffer in cgit_parse_commit()
This can be NULL, so try not to segfault.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-05-31 10:24:43 +02:00
Ondrej Jirman
3ce6fc16ef Handle single-line and empty commit subjects
If commit object ends with \0 after subject line, then info->subject
was not set.

This commit fixes this and also sets subject to ** empty ** if it
would otherwise be empty, so that there is something to click on.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-05-31 10:21:50 +02:00
Lars Hjemli
3de63b264c Don't be fooled by trailing '/' in url-parameter
cgit_parse_url() didn't check if the path-part of urls contained a
real path or just a trailing slash. This made the log-page die since
the path filtering supplied an invalid path argument. This fixes it.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-05-18 22:51:02 +02:00
Lars Hjemli
30ccdcaa74 Enable url=value querystring parameter
This makes is possible to use repo-urls like '/pub/scm/git/git.git' and
even add path specifications, like '/pub/scm/git/git.git/log/documentation'.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-05-18 22:51:01 +02:00
Lars Hjemli
47a81c77fd Restrict deep nesting of configfiles
There is no point in restricting the number of included config-
files, but there is a point in restricting the nestinglevel
of configfiles: to avoid recursive inclusions. This is easily
achieved by decrementing the static nesting-variable upon exit
from cgit_read_config().

Also fix some whitespace breakage.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
2007-05-15 23:32:25 +02:00