Revision 6d8684161ee9c03bed5cb69ae76dfdddb85a0003 authored by Johannes Schindelin on 13 September 2019, 14:32:43 UTC, committed by Johannes Schindelin on 05 December 2019, 14:36:51 UTC
We need to be careful to follow proper quoting rules. For example, if an argument contains spaces, we have to quote them. Double-quotes need to be escaped. Backslashes need to be escaped, but only if they are followed by a double-quote character. We need to be _extra_ careful to consider the case where an argument ends in a backslash _and_ needs to be quoted: in this case, we append a double-quote character, i.e. the backslash now has to be escaped! The current code, however, fails to recognize that, and therefore can turn an argument that ends in a single backslash into a quoted argument that now ends in an escaped double-quote character. This allows subsequent command-line parameters to be split and part of them being mistaken for command-line options, e.g. through a maliciously-crafted submodule URL during a recursive clone. Technically, we would not need to quote _all_ arguments which end in a backslash _unless_ the argument needs to be quoted anyway. For example, `test\` would not need to be quoted, while `test \` would need to be. To keep the code simple, however, and therefore easier to reason about and ensure its correctness, we now _always_ quote an argument that ends in a backslash. This addresses CVE-2019-1350. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
1 parent a8dee3c
prompt.c
#include "cache.h"
#include "config.h"
#include "run-command.h"
#include "strbuf.h"
#include "prompt.h"
#include "compat/terminal.h"
static char *do_askpass(const char *cmd, const char *prompt)
{
struct child_process pass = CHILD_PROCESS_INIT;
const char *args[3];
static struct strbuf buffer = STRBUF_INIT;
int err = 0;
args[0] = cmd;
args[1] = prompt;
args[2] = NULL;
pass.argv = args;
pass.out = -1;
if (start_command(&pass))
return NULL;
strbuf_reset(&buffer);
if (strbuf_read(&buffer, pass.out, 20) < 0)
err = 1;
close(pass.out);
if (finish_command(&pass))
err = 1;
if (err) {
error("unable to read askpass response from '%s'", cmd);
strbuf_release(&buffer);
return NULL;
}
strbuf_setlen(&buffer, strcspn(buffer.buf, "\r\n"));
return buffer.buf;
}
char *git_prompt(const char *prompt, int flags)
{
char *r = NULL;
if (flags & PROMPT_ASKPASS) {
const char *askpass;
askpass = getenv("GIT_ASKPASS");
if (!askpass)
askpass = askpass_program;
if (!askpass)
askpass = getenv("SSH_ASKPASS");
if (askpass && *askpass)
r = do_askpass(askpass, prompt);
}
if (!r) {
const char *err;
if (git_env_bool("GIT_TERMINAL_PROMPT", 1)) {
r = git_terminal_prompt(prompt, flags & PROMPT_ECHO);
err = strerror(errno);
} else {
err = "terminal prompts disabled";
}
if (!r) {
/* prompts already contain ": " at the end */
die("could not read %s%s", prompt, err);
}
}
return r;
}
Computing file changes ...
