Use shellquote to unpack arguments to gitea serv (#12624)

Fix #12471

Signed-off-by: Andrew Thornton <art27@cantab.net>
release/v1.15
zeripath 2020-08-28 20:55:25 +01:00 committed by GitHub
parent 274f9233ab
commit 7ba6fea0b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 15 deletions

View File

@ -25,6 +25,7 @@ import (
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"github.com/dgrijalva/jwt-go" "github.com/dgrijalva/jwt-go"
"github.com/kballard/go-shellquote"
"github.com/unknwon/com" "github.com/unknwon/com"
"github.com/urfave/cli" "github.com/urfave/cli"
) )
@ -59,14 +60,6 @@ func setup(logPath string, debug bool) {
} }
} }
func parseCmd(cmd string) (string, string) {
ss := strings.SplitN(cmd, " ", 2)
if len(ss) != 2 {
return "", ""
}
return ss[0], strings.Replace(ss[1], "'/", "'", 1)
}
var ( var (
allowedCommands = map[string]models.AccessMode{ allowedCommands = map[string]models.AccessMode{
"git-upload-pack": models.AccessModeRead, "git-upload-pack": models.AccessModeRead,
@ -126,7 +119,20 @@ func runServ(c *cli.Context) error {
return nil return nil
} }
verb, args := parseCmd(cmd) words, err := shellquote.Split(cmd)
if err != nil {
fail("Error parsing arguments", "Failed to parse arguments: %v", err)
}
if len(words) < 2 {
fail("Too few arguments", "Too few arguments in cmd: %s", cmd)
}
verb := words[0]
repoPath := words[1]
if repoPath[0] == '/' {
repoPath = repoPath[1:]
}
var lfsVerb string var lfsVerb string
if verb == lfsAuthenticateVerb { if verb == lfsAuthenticateVerb {
@ -134,17 +140,14 @@ func runServ(c *cli.Context) error {
fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled") fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
} }
argsSplit := strings.Split(args, " ") if len(words) > 2 {
if len(argsSplit) >= 2 { lfsVerb = words[2]
args = strings.TrimSpace(argsSplit[0])
lfsVerb = strings.TrimSpace(argsSplit[1])
} }
} }
repoPath := strings.ToLower(strings.Trim(args, "'"))
rr := strings.SplitN(repoPath, "/", 2) rr := strings.SplitN(repoPath, "/", 2)
if len(rr) != 2 { if len(rr) != 2 {
fail("Invalid repository path", "Invalid repository path: %v", args) fail("Invalid repository path", "Invalid repository path: %v", repoPath)
} }
username := strings.ToLower(rr[0]) username := strings.ToLower(rr[0])