diff options
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-2.patch')
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-11008-2.patch | 292 |
1 files changed, 292 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch new file mode 100644 index 0000000000..c752e3d431 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-2.patch | |||
@@ -0,0 +1,292 @@ | |||
1 | From 5588659069214aa0f7fea75a69687078e2f7a817 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Sat, 18 Apr 2020 20:47:30 -0700 | ||
4 | Subject: [PATCH 05/12] t0300: use more realistic inputs | ||
5 | |||
6 | Many of the tests in t0300 give partial inputs to git-credential, | ||
7 | omitting a protocol or hostname. We're checking only high-level things | ||
8 | like whether and how helpers are invoked at all, and we don't care about | ||
9 | specific hosts. However, in preparation for tightening up the rules | ||
10 | about when we're willing to run a helper, let's start using input that's | ||
11 | a bit more realistic: pretend as if http://example.com is being | ||
12 | examined. | ||
13 | |||
14 | This shouldn't change the point of any of the tests, but do note we have | ||
15 | to adjust the expected output to accommodate this (filling a credential | ||
16 | will repeat back the protocol/host fields to stdout, and the helper | ||
17 | debug messages and askpass prompt will change on stderr). | ||
18 | |||
19 | Signed-off-by: Jeff King <peff@peff.net> | ||
20 | Reviewed-by: Taylor Blau <me@ttaylorr.com> | ||
21 | Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2020-11008 (2) | ||
25 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
26 | --- | ||
27 | t/t0300-credentials.sh | 89 +++++++++++++++++++++++++++++++++++++++++++++++--- | ||
28 | 1 file changed, 85 insertions(+), 4 deletions(-) | ||
29 | |||
30 | diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh | ||
31 | index 0206b3b..f4c5d7f 100755 | ||
32 | --- a/t/t0300-credentials.sh | ||
33 | +++ b/t/t0300-credentials.sh | ||
34 | @@ -40,43 +40,71 @@ test_expect_success 'setup helper scripts' ' | ||
35 | |||
36 | test_expect_success 'credential_fill invokes helper' ' | ||
37 | check fill "verbatim foo bar" <<-\EOF | ||
38 | + protocol=http | ||
39 | + host=example.com | ||
40 | -- | ||
41 | + protocol=http | ||
42 | + host=example.com | ||
43 | username=foo | ||
44 | password=bar | ||
45 | -- | ||
46 | verbatim: get | ||
47 | + verbatim: protocol=http | ||
48 | + verbatim: host=example.com | ||
49 | EOF | ||
50 | ' | ||
51 | |||
52 | test_expect_success 'credential_fill invokes multiple helpers' ' | ||
53 | check fill useless "verbatim foo bar" <<-\EOF | ||
54 | + protocol=http | ||
55 | + host=example.com | ||
56 | -- | ||
57 | + protocol=http | ||
58 | + host=example.com | ||
59 | username=foo | ||
60 | password=bar | ||
61 | -- | ||
62 | useless: get | ||
63 | + useless: protocol=http | ||
64 | + useless: host=example.com | ||
65 | verbatim: get | ||
66 | + verbatim: protocol=http | ||
67 | + verbatim: host=example.com | ||
68 | EOF | ||
69 | ' | ||
70 | |||
71 | test_expect_success 'credential_fill stops when we get a full response' ' | ||
72 | check fill "verbatim one two" "verbatim three four" <<-\EOF | ||
73 | + protocol=http | ||
74 | + host=example.com | ||
75 | -- | ||
76 | + protocol=http | ||
77 | + host=example.com | ||
78 | username=one | ||
79 | password=two | ||
80 | -- | ||
81 | verbatim: get | ||
82 | + verbatim: protocol=http | ||
83 | + verbatim: host=example.com | ||
84 | EOF | ||
85 | ' | ||
86 | |||
87 | test_expect_success 'credential_fill continues through partial response' ' | ||
88 | check fill "verbatim one \"\"" "verbatim two three" <<-\EOF | ||
89 | + protocol=http | ||
90 | + host=example.com | ||
91 | -- | ||
92 | + protocol=http | ||
93 | + host=example.com | ||
94 | username=two | ||
95 | password=three | ||
96 | -- | ||
97 | verbatim: get | ||
98 | + verbatim: protocol=http | ||
99 | + verbatim: host=example.com | ||
100 | verbatim: get | ||
101 | + verbatim: protocol=http | ||
102 | + verbatim: host=example.com | ||
103 | verbatim: username=one | ||
104 | EOF | ||
105 | ' | ||
106 | @@ -102,14 +130,20 @@ test_expect_success 'credential_fill passes along metadata' ' | ||
107 | |||
108 | test_expect_success 'credential_approve calls all helpers' ' | ||
109 | check approve useless "verbatim one two" <<-\EOF | ||
110 | + protocol=http | ||
111 | + host=example.com | ||
112 | username=foo | ||
113 | password=bar | ||
114 | -- | ||
115 | -- | ||
116 | useless: store | ||
117 | + useless: protocol=http | ||
118 | + useless: host=example.com | ||
119 | useless: username=foo | ||
120 | useless: password=bar | ||
121 | verbatim: store | ||
122 | + verbatim: protocol=http | ||
123 | + verbatim: host=example.com | ||
124 | verbatim: username=foo | ||
125 | verbatim: password=bar | ||
126 | EOF | ||
127 | @@ -117,6 +151,8 @@ test_expect_success 'credential_approve calls all helpers' ' | ||
128 | |||
129 | test_expect_success 'do not bother storing password-less credential' ' | ||
130 | check approve useless <<-\EOF | ||
131 | + protocol=http | ||
132 | + host=example.com | ||
133 | username=foo | ||
134 | -- | ||
135 | -- | ||
136 | @@ -126,14 +162,20 @@ test_expect_success 'do not bother storing password-less credential' ' | ||
137 | |||
138 | test_expect_success 'credential_reject calls all helpers' ' | ||
139 | check reject useless "verbatim one two" <<-\EOF | ||
140 | + protocol=http | ||
141 | + host=example.com | ||
142 | username=foo | ||
143 | password=bar | ||
144 | -- | ||
145 | -- | ||
146 | useless: erase | ||
147 | + useless: protocol=http | ||
148 | + useless: host=example.com | ||
149 | useless: username=foo | ||
150 | useless: password=bar | ||
151 | verbatim: erase | ||
152 | + verbatim: protocol=http | ||
153 | + verbatim: host=example.com | ||
154 | verbatim: username=foo | ||
155 | verbatim: password=bar | ||
156 | EOF | ||
157 | @@ -141,33 +183,49 @@ test_expect_success 'credential_reject calls all helpers' ' | ||
158 | |||
159 | test_expect_success 'usernames can be preserved' ' | ||
160 | check fill "verbatim \"\" three" <<-\EOF | ||
161 | + protocol=http | ||
162 | + host=example.com | ||
163 | username=one | ||
164 | -- | ||
165 | + protocol=http | ||
166 | + host=example.com | ||
167 | username=one | ||
168 | password=three | ||
169 | -- | ||
170 | verbatim: get | ||
171 | + verbatim: protocol=http | ||
172 | + verbatim: host=example.com | ||
173 | verbatim: username=one | ||
174 | EOF | ||
175 | ' | ||
176 | |||
177 | test_expect_success 'usernames can be overridden' ' | ||
178 | check fill "verbatim two three" <<-\EOF | ||
179 | + protocol=http | ||
180 | + host=example.com | ||
181 | username=one | ||
182 | -- | ||
183 | + protocol=http | ||
184 | + host=example.com | ||
185 | username=two | ||
186 | password=three | ||
187 | -- | ||
188 | verbatim: get | ||
189 | + verbatim: protocol=http | ||
190 | + verbatim: host=example.com | ||
191 | verbatim: username=one | ||
192 | EOF | ||
193 | ' | ||
194 | |||
195 | test_expect_success 'do not bother completing already-full credential' ' | ||
196 | check fill "verbatim three four" <<-\EOF | ||
197 | + protocol=http | ||
198 | + host=example.com | ||
199 | username=one | ||
200 | password=two | ||
201 | -- | ||
202 | + protocol=http | ||
203 | + host=example.com | ||
204 | username=one | ||
205 | password=two | ||
206 | -- | ||
207 | @@ -179,23 +237,31 @@ test_expect_success 'do not bother completing already-full credential' ' | ||
208 | # askpass helper is run, we know the internal getpass is working. | ||
209 | test_expect_success 'empty helper list falls back to internal getpass' ' | ||
210 | check fill <<-\EOF | ||
211 | + protocol=http | ||
212 | + host=example.com | ||
213 | -- | ||
214 | + protocol=http | ||
215 | + host=example.com | ||
216 | username=askpass-username | ||
217 | password=askpass-password | ||
218 | -- | ||
219 | - askpass: Username: | ||
220 | - askpass: Password: | ||
221 | + askpass: Username for '\''http://example.com'\'': | ||
222 | + askpass: Password for '\''http://askpass-username@example.com'\'': | ||
223 | EOF | ||
224 | ' | ||
225 | |||
226 | test_expect_success 'internal getpass does not ask for known username' ' | ||
227 | check fill <<-\EOF | ||
228 | + protocol=http | ||
229 | + host=example.com | ||
230 | username=foo | ||
231 | -- | ||
232 | + protocol=http | ||
233 | + host=example.com | ||
234 | username=foo | ||
235 | password=askpass-password | ||
236 | -- | ||
237 | - askpass: Password: | ||
238 | + askpass: Password for '\''http://foo@example.com'\'': | ||
239 | EOF | ||
240 | ' | ||
241 | |||
242 | @@ -207,7 +273,11 @@ HELPER="!f() { | ||
243 | test_expect_success 'respect configured credentials' ' | ||
244 | test_config credential.helper "$HELPER" && | ||
245 | check fill <<-\EOF | ||
246 | + protocol=http | ||
247 | + host=example.com | ||
248 | -- | ||
249 | + protocol=http | ||
250 | + host=example.com | ||
251 | username=foo | ||
252 | password=bar | ||
253 | -- | ||
254 | @@ -298,11 +368,16 @@ test_expect_success 'helpers can abort the process' ' | ||
255 | test_must_fail git \ | ||
256 | -c credential.helper=quit \ | ||
257 | -c credential.helper="verbatim foo bar" \ | ||
258 | - credential fill >stdout 2>stderr && | ||
259 | + credential fill >stdout 2>stderr <<-\EOF && | ||
260 | + protocol=http | ||
261 | + host=example.com | ||
262 | + EOF | ||
263 | >expect && | ||
264 | test_cmp expect stdout && | ||
265 | cat >expect <<-\EOF && | ||
266 | quit: get | ||
267 | + quit: protocol=http | ||
268 | + quit: host=example.com | ||
269 | fatal: credential helper '\''quit'\'' told us to quit | ||
270 | EOF | ||
271 | test_i18ncmp expect stderr | ||
272 | @@ -311,11 +386,17 @@ test_expect_success 'helpers can abort the process' ' | ||
273 | test_expect_success 'empty helper spec resets helper list' ' | ||
274 | test_config credential.helper "verbatim file file" && | ||
275 | check fill "" "verbatim cmdline cmdline" <<-\EOF | ||
276 | + protocol=http | ||
277 | + host=example.com | ||
278 | -- | ||
279 | + protocol=http | ||
280 | + host=example.com | ||
281 | username=cmdline | ||
282 | password=cmdline | ||
283 | -- | ||
284 | verbatim: get | ||
285 | + verbatim: protocol=http | ||
286 | + verbatim: host=example.com | ||
287 | EOF | ||
288 | ' | ||
289 | |||
290 | -- | ||
291 | 1.9.1 | ||
292 | |||