summaryrefslogtreecommitdiff
path: root/daemon.c
AgeCommit message (Collapse)AuthorFilesLines
2009-11-09http-backend: Protect GIT_PROJECT_ROOT from /../ requestsLibravatar Shawn O. Pearce1-48/+1
Eons ago HPA taught git-daemon how to protect itself from /../ attacks, which Junio brought back into service in d79374c7b58d ("daemon.c and path.enter_repo(): revamp path validation"). I did not carry this into git-http-backend as originally we relied only upon PATH_TRANSLATED, and assumed the HTTP server had done its access control checks to validate the resolved path was within a directory permitting access from the remote client. This would usually be sufficient to protect a server from requests for its /etc/passwd file by http://host/smart/../etc/passwd sorts of URLs. However in 917adc036086 Mark Lodato added GIT_PROJECT_ROOT as an additional method of configuring the CGI. When this environment variable is used the web server does not generate the final access path and therefore may blindly pass through "/../etc/passwd" in PATH_INFO under the assumption that "/../" might have special meaning to the invoked CGI. Instead of permitting these sorts of malformed path requests, we now reject them back at the client, with an error message for the server log. This matches git-daemon behavior. Signed-off-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-07-06Merge branch 'tr/die_errno'Libravatar Junio C Hamano1-8/+7
* tr/die_errno: Use die_errno() instead of die() when checking syscalls Convert existing die(..., strerror(errno)) to die_errno() die_errno(): double % in strerror() output just in case Introduce die_errno() that appends strerror(errno) to die()
2009-07-01Merge branch 'js/daemon-log'Libravatar Junio C Hamano1-8/+48
* js/daemon-log: receive-pack: do not send error details to the client upload-pack: squelch progress indicator if client cannot see it daemon: send stderr of service programs to the syslog
2009-06-27Convert existing die(..., strerror(errno)) to die_errno()Libravatar Thomas Rast1-8/+7
Change calls to die(..., strerror(errno)) to use the new die_errno(). In the process, also make slight style adjustments: at least state _something_ about the function that failed (instead of just printing the pathname), and put paths in single quotes. Signed-off-by: Thomas Rast <trast@student.ethz.ch> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-20Fix various sparse warnings in the git source codeLibravatar Linus Torvalds1-1/+1
There are a few remaining ones, but this fixes the trivial ones. It boils down to two main issues that sparse complains about: - warning: Using plain integer as NULL pointer Sparse doesn't like you using '0' instead of 'NULL'. For various good reasons, not the least of which is just the visual confusion. A NULL pointer is not an integer, and that whole "0 works as NULL" is a historical accident and not very pretty. A few of these remain: zlib is a total mess, and Z_NULL is just a 0. I didn't touch those. - warning: symbol 'xyz' was not declared. Should it be static? Sparse wants to see declarations for any functions you export. A lack of a declaration tends to mean that you should either add one, or you should mark the function 'static' to show that it's in file scope. A few of these remain: I only did the ones that should obviously just be made static. That 'wt_status_submodule_summary' one is debatable. It has a few related flags (like 'wt_status_use_color') which _are_ declared, and are used by builtin-commit.c. So maybe we'd like to export it at some point, but it's not declared now, and not used outside of that file, so 'static' it is in this patch. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-18daemon: send stderr of service programs to the syslogLibravatar Johannes Sixt1-8/+48
If git-daemon is run with --detach or --inetd, then stderr is explicitly redirected to /dev/null. But notice that the service programs were spawned via execl_git_cmd(), in particular, the stderr channel is inherited from the daemon. This means that errors that the programs wrote to stderr (for example, via die()), went to /dev/null. This patch arranges that the daemon does not merely exec the service program, but forks it and monitors stderr of the child; it writes the errors that it produces to the daemons log via logerror(). A consequence is that the daemon process remains in memory for the full duration of the service program, but this cannot be avoided. Signed-off-by: Johannes Sixt <j6t@kdbg.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-06-06daemon: Strictly parse the "extra arg" part of the commandLibravatar Shawn O. Pearce1-4/+6
Since 1.4.4.5 (49ba83fb67 "Add virtualization support to git-daemon") git daemon enters an infinite loop and never terminates if a client hides any extra arguments in the initial request line which is not exactly "\0host=blah\0". Since that change, a client must never insert additional extra arguments, or attempt to use any argument other than "host=", as any daemon will get stuck parsing the request line and will never complete the request. Since the client can't tell if the daemon is patched or not, it is not possible to know if additional extra args might actually be able to be safely requested. If we ever need to extend the git daemon protocol to support a new feature, we may have to do something like this to the exchange: # If both support git:// v2 # C: 000cgit://v2 S: 0010ok host user C: 0018host git.kernel.org C: 0027git-upload-pack /pub/linux-2.6.git S: ...git-upload-pack header... # If client supports git:// v2, server does not: # C: 000cgit://v2 S: <EOF> C: 003bgit-upload-pack /pub/linux-2.6.git\0host=git.kernel.org\0 S: ...git-upload-pack header... This requires the client to create two TCP connections to talk to an older git daemon, however all daemons since the introduction of daemon.c will safely reject the unknown "git://v2" command request, so the client can quite easily determine the server supports an older protocol. Signed-off-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-04-29daemon.c: fix segfault on OS XLibravatar Benjamin Kramer1-14/+14
On OS X (and maybe other unices), getaddrinfo(3) returns NULL in the ai_canonname field if it's called with an IP address for the hostname. We'll now use the IP address for the hostname if ai_canonname was NULL, this also matches the behaviour on Linux. steps to reproduce: $ git daemon --export-all $ git clone git://127.0.0.1/frotz => git daemon's fork (silently) segfaults. Remove the pointless loop while at it. There is only one iteration because of the break; on the last line and there are no continues. Signed-off-by: Benjamin Kramer <benny.kra@googlemail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-03-04improve missing repository error messageLibravatar Jeff King1-1/+1
Certain remote commands, when asked to do something in a particular directory that was not actually a git repository, would say "unable to chdir or not a git archive". The "chdir" bit is an unnecessary detail, and the term "git archive" is much less common these days than "git repository". So let's switch them all to: fatal: '%s' does not appear to be a git repository Signed-off-by: Jeff King <peff@peff.net> Acked-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-01-26Add calls to git_extract_argv0_path() in programs that call git_config_*Libravatar Steffen Prohaska1-0/+2
Programs that use git_config need to find the global configuration. When runtime prefix computation is enabled, this requires that git_extract_argv0_path() is called early in the program's main(). This commit adds the necessary calls. Signed-off-by: Steffen Prohaska <prohaska@zib.de> Acked-by: Johannes Sixt <j6t@kdbg.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-01-05remove trailing LF in die() messagesLibravatar Alexander Potashev1-1/+1
LF at the end of format strings given to die() is redundant because die already adds one on its own. Signed-off-by: Alexander Potashev <aspotashev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-12-26daemon: cleanup: factor out xstrdup_tolower()Libravatar René Scharfe1-21/+13
Add xstrdup_tolower(), a helper to get a lower case copy of a string, and use it in two cases. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-12-26daemon: cleanup: replace loop with ifLibravatar René Scharfe1-13/+5
Replace a loop around an enter_repo() call, which was used to retry a single time with a different parameter in case the first call fails, with two calls and an if. This is shorter and cleaner. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-12-26daemon: handle freopen() failureLibravatar René Scharfe1-1/+3
Die if stderr couldn't be sent to /dev/null when operating in inetd mode and report the error message from the OS. This fixes a compiler warning about the return value of freopen() being ignored on Ubuntu 8.10. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-23daemon: deglobalize variable 'directory'Libravatar René Scharfe1-10/+6
Remove the global variable 'directory' and pass it as a parameter of the two functions that use it instead, (almost) restoring their interface to how it was before 49ba83fb67d9e447b86953965ce5f949c6a93b81. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-23daemon: inline fill_in_extra_table_entries()Libravatar René Scharfe1-8/+2
Having fill_in_extra_table_entries() as a separate function has no advantage -- a function with no parameters and return values might as well be an anonymous block of code. Its name still refers to the table of interpolate() which has been removed earlier, so it's better to inline it at its only call site. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-23daemon: use strbuf_expand() instead of interpolate()Libravatar René Scharfe1-55/+54
Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-24git-daemon: set REMOTE_ADDR to client addressLibravatar Joey Hess1-0/+4
This allows hooks like pre-receive to look at the client's IP address. Of course the IP address can't be used to get strong security; git-daemon isn't the right thing to use if you need that. However, basic IP address checking can be good enough in some situations. REMOTE_ADDR is the same environment variable used to communicate the client's address to CGI scripts. Signed-off-by: Joey Hess <joey@kitenet.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-09-25Merge branch 'jc/alternate-push'Libravatar Shawn O. Pearce1-7/+3
* jc/alternate-push: push: receiver end advertises refs from alternate repositories push: prepare sender to receive extended ref information from the receiver receive-pack: make it a builtin is_directory(): a generic helper function
2008-09-09is_directory(): a generic helper functionLibravatar Junio C Hamano1-7/+3
A simple "grep -e stat --and -e S_ISDIR" revealed there are many open-coded implementations of this function. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-09-06daemon.c: avoid setlinebuf()Libravatar Junio C Hamano1-1/+2
This function is outside POSIX (Linux and recent BSD have it). Replace it with setvbuf() which is POSIX. I am not sure about the value this patch passes as size argument to setvbuf(), though. I know the call this patch makes is equivalent to calling setlinebuf() with GNU libc, but POSIX itself leaves what happens to the size argument quite vague, saying only "otherwise [i.e. when buf is a null pointer], size _may_ determine the size of a buffer allocated by the setvbuf() function." If passing size=0 causes stdio to allocate very small buffer, and while stdio tries to line buffer the output, it might make it to fail to buffer an entire line, causing early flushing of the stream. Even if that turns out to be a problem on minorority platforms, we won't know it until the issue actually hurts them, so let's push this change out and see what happens. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-31cast pid_t's to uintmax_t to improve portabilityLibravatar David Soria Parra1-3/+3
Some systems (like e.g. OpenSolaris) define pid_t as long, therefore all our sprintf that use %i/%d cause a compiler warning beacuse of the implicit long->int cast. To make sure that we fit the limits, we display pids as PRIuMAX and cast them explicitly to uintmax_t. Signed-off-by: David Soria Parra <dsp@php.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-25daemon.c: minor style fixupLibravatar Junio C Hamano1-42/+34
* "else" on the same line as "}" that closes corresponding "if (...) {"; * multi-line comments begin with "/*\n"; * sizeof, even it is not a function, is written as "sizeof(...)"; * no need to check x?alloc() return value -- it would have died; * "if (...) { ... }" that covers the whole function body can be dedented by returning from the function early with "if (!...) return;"; * SP on each side of an operator, i.e. "a > 0", not "a>0"; Also removes stale comment describing how remove_child() used to do its thing. Signed-off-by: Junio C Hamano <gitster@pobox.com>: Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17git-daemon: rewrite kindergarden, new option --max-connectionsLibravatar Stephen R. van den Berg1-138/+75
Get rid of the fixed array of children and make max-connections dynamic and configurable. Fix the killing code to actually kill the newest connections from duplicate IP-addresses. Avoid forking if too busy already. Signed-off-by: Stephen R. van den Berg <srb@cuci.nl> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17git-daemon: Simplify dead-children reaping logicLibravatar Stephen R. van den Berg1-32/+23
Move almost all code out of the child_handler() into check_dead_children(). The fact that systemcalls get interrupted by signals allows us to make the SIGCHLD signal handler almost a no-op by simply running check_dead_children() right before waiting on poll(). In case some systems do not interrupt systemcalls upon signal receipt, all zombies will eventually be collected before the next poll() cycle. Signed-off-by: Stephen R. van den Berg <srb@cuci.nl> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17git-daemon: use LOG_PID, simplify logging codeLibravatar Stephen R. van den Berg1-31/+16
Make git-daemon use LOG_PID like most daemons, instead of prepending the pid to the message ourselves, when using syslog(3). Simplify the logging code by setting stderr to line buffered, instead of building a single string and writing it out with a single write(2). Give an extra log message at the daemon start-up. Signed-off-by: Stephen R. van den Berg <srb@cuci.nl> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-17git-daemon: call logerror() instead of error()Libravatar Stephen R. van den Berg1-2/+2
Use logerror(), not error(), so that the messages won't be lost, especially when running the daemon with its log sent to the syslog facility. Signed-off-by: Stephen R. van den Berg <srb@cuci.nl> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-08-12git-daemon: SysV needs the signal handler reinstated.Libravatar Stephen R. van den Berg1-0/+1
Fixes the bug on (amongst others) Solaris that only the first child ever is reaped. Signed-off-by: Stephen R. van den Berg <srb@cuci.nl> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-07-23git daemon: avoid waking up too oftenLibravatar Johannes Schindelin1-14/+11
To avoid waking up unnecessarily, a pipe is set up that is only ever written to by child_handler(), when a child disconnects, as suggested per Junio. This avoids waking up the main process every second to see if a child was disconnected. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-07-13Make usage strings dash-lessLibravatar Stephan Beyer1-1/+1
When you misuse a git command, you are shown the usage string. But this is currently shown in the dashed form. So if you just copy what you see, it will not work, when the dashed form is no longer supported. This patch makes git commands show the dash-less version. For shell scripts that do not specify OPTIONS_SPEC, git-sh-setup.sh generates a dash-less usage string now. Signed-off-by: Stephan Beyer <s-beyer@gmx.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-07-06git daemon: avoid calling syslog() from a signal handlerLibravatar Johannes Schindelin1-20/+50
Signal handlers should never call syslog(), as that can raise signals of its own. Instead, call the syslog() from the master process. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-05-14Provide git_config with a callback-data parameterLibravatar Johannes Schindelin1-2/+2
git_config() only had a function parameter, but no callback data parameter. This assumes that all callback functions only modify global variables. With this patch, every callback gets a void * parameter, and it is hoped that this will help the libification effort. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-02-27daemon: ensure that base-path is an existing directoryLibravatar Johannes Sixt1-0/+8
Any request to the daemon would fail if base-path (if specified) is not a directory. We now check for this condition early. Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-02-27daemon: send more error messages to the syslogLibravatar Johannes Sixt1-5/+5
There were a number of die() calls before the syslog was opened; hence, these error messages would have been sent to /dev/null in detached mode. Now we install the daemon-specific die routine before any error message is generated so that these messages go to the syslog. Signed-off-by: Johannes Sixt <johannes.sixt@telecom.at> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-11-08Style: place opening brace of a function definition at column 1Libravatar Junio C Hamano1-2/+4
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-11-05git-daemon: fix remote port number in log entryLibravatar Gerrit Pape1-2/+2
The port number in struct sockaddr_in needs to be converted from network byte order to host byte order (on some architectures). Signed-off-by: Gerrit Pape <pape@smarden.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-10-18Define NI_MAXSERV if not defined by operating systemLibravatar Patrick Welche1-0/+4
I found I needed NI_MAXSERV as it is defined in netdb.h, which is not included by daemon.c. Rather than including the whole header we can define a reasonable fallback value. Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
2007-08-01--base-path-relaxed optionLibravatar Jens Axboe1-2/+24
I switched git.kernel.dk to --base-path a few minutes ago, to get rid of a /data/git postfix in the posted urls. But transitioning is tricky, since now all old paths will fail miserably. So I added this --base-path-relaxed option, that will make git-daemon try the absolute path without prefixing --base-path before giving up. With this in place and --base-path-relaxed added, both my new url of git://git.kernel.dk/linux-2.6-block.git and the old git://git.kernel.dk/data/git/linux-2.6-block.git work fine. Signed-off-by: Jens Axboe <jens.axboe@oracle.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-06-08Missing statics.Libravatar Pierre Habouzit1-1/+1
Signed-off-by: Pierre Habouzit <madcoder@debian.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-06-07War on whitespaceLibravatar Junio C Hamano1-2/+2
This uses "git-apply --whitespace=strip" to fix whitespace errors that have crept in to our source files over time. There are a few files that need to have trailing whitespaces (most notably, test vectors). The results still passes the test, and build result in Documentation/ area is unchanged. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2007-05-21git-daemon: don't ignore pid-file write failureLibravatar Jim Meyering1-2/+2
Note: since the consequence of failure is to call die, I don't bother to close "f". Signed-off-by: Jim Meyering <jim@meyering.net> Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-20prefixcmp(): fix-up mechanical conversion.Libravatar Junio C Hamano1-1/+1
Previous step converted use of strncmp() with literal string mechanically even when the result is only used as a boolean: if (!strncmp("foo", arg, 3)) ==> if (!(-prefixcmp(arg, "foo"))) This step manually cleans them up to read: if (!prefixcmp(arg, "foo")) Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-20Mechanical conversion to use prefixcmp()Libravatar Junio C Hamano1-16/+16
This mechanically converts strncmp() to use prefixcmp(), but only when the parameters match specific patterns, so that they can be verified easily. Leftover from this will be fixed in a separate step, including idiotic conversions like if (!strncmp("foo", arg, 3)) => if (!(-prefixcmp(arg, "foo"))) This was done by using this script in px.perl #!/usr/bin/perl -i.bak -p if (/strncmp\(([^,]+), "([^\\"]*)", (\d+)\)/ && (length($2) == $3)) { s|strncmp\(([^,]+), "([^\\"]*)", (\d+)\)|prefixcmp($1, "$2")|; } if (/strncmp\("([^\\"]*)", ([^,]+), (\d+)\)/ && (length($1) == $3)) { s|strncmp\("([^\\"]*)", ([^,]+), (\d+)\)|(-prefixcmp($2, "$1"))|; } and running: $ git grep -l strncmp -- '*.c' | xargs perl px.perl Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-14git-daemon: Avoid leaking the listening sockets into child processes.Libravatar Alexandre Julliard1-0/+10
This makes it possible to restart git-daemon even if some children are still running. Signed-off-by: Alexandre Julliard <julliard@winehq.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-02-03Assorted typo fixesLibravatar Pavel Roskin1-1/+1
Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-28git-push through git protocolLibravatar Linus Torvalds1-0/+7
This allows pushing over the git:// protocol, and while it's not authenticated, it could make sense from within a firewalled setup where nobody but trusted internal people can reach the git port. git-daemon is possibly easier and faster to set up in the kind of situation where you set up git instead of CVS inside a company. "git-receive-pack" is disabled by default, so you need to enable it explicitly by starting git-daemon with the "--enable=receive-pack" command line argument, or by having your config enable it automatically. Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
2007-01-08short i/o: fix calls to write to use xwrite or write_in_fullLibravatar Andy Whitcroft1-1/+1
We have a number of badly checked write() calls. Often we are expecting write() to write exactly the size we requested or fail, this fails to handle interrupts or short writes. Switch to using the new write_in_full(). Otherwise we at a minimum need to check for EINTR and EAGAIN, where this is appropriate use xwrite(). Note, the changes to config handling are much larger and handled in the next patch in the sequence. Signed-off-by: Andy Whitcroft <apw@shadowen.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-12-20simplify inclusion of system header files.Libravatar Junio C Hamano1-13/+3
This is a mechanical clean-up of the way *.c files include system header files. (1) sources under compat/, platform sha-1 implementations, and xdelta code are exempt from the following rules; (2) the first #include must be "git-compat-util.h" or one of our own header file that includes it first (e.g. config.h, builtin.h, pkt-line.h); (3) system headers that are included in "git-compat-util.h" need not be included in individual C source files. (4) "git-compat-util.h" does not have to include subsystem specific header files (e.g. expat.h). Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-10-23daemon: do not die on older clients.Libravatar Junio C Hamano1-1/+5
In the older times, the clients did not say which host they were trying to connect, and the code we recently added did not quite handle the older clients correctly. Noticed by Simon Arlott. Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-09-28fix daemon.c compilation for NO_IPV6=1Libravatar Alex Riesen1-1/+1
Signed-off-by: Alex Riesen <raa.lkml@gmail.com> Signed-off-by: Junio C Hamano <junkio@cox.net>