diff options
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-3.patch')
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-11008-3.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-3.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-3.patch new file mode 100644 index 0000000000..c17e883d6c --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-3.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From 22f28251ae575dd7a60f7a46853469025d004ca7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Sat, 18 Apr 2020 20:48:05 -0700 | ||
4 | Subject: [PATCH 06/12] credential: parse URL without host as empty host, not | ||
5 | unset | ||
6 | |||
7 | We may feed a URL like "cert:///path/to/cert.pem" into the credential | ||
8 | machinery to get the key for a client-side certificate. That | ||
9 | credential has no hostname field, which is about to be disallowed (to | ||
10 | avoid confusion with protocols where a helper _would_ expect a | ||
11 | hostname). | ||
12 | |||
13 | This means as of the next patch, credential helpers won't work for | ||
14 | unlocking certs. Let's fix that by doing two things: | ||
15 | |||
16 | - when we parse a url with an empty host, set the host field to the | ||
17 | empty string (asking only to match stored entries with an empty | ||
18 | host) rather than NULL (asking to match _any_ host). | ||
19 | |||
20 | - when we build a cert:// credential by hand, similarly assign an | ||
21 | empty string | ||
22 | |||
23 | It's the latter that is more likely to impact real users in practice, | ||
24 | since it's what's used for http connections. But we don't have good | ||
25 | infrastructure to test it. | ||
26 | |||
27 | The url-parsing version will help anybody using git-credential in a | ||
28 | script, and is easy to test. | ||
29 | |||
30 | Signed-off-by: Jeff King <peff@peff.net> | ||
31 | Reviewed-by: Taylor Blau <me@ttaylorr.com> | ||
32 | Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> | ||
33 | |||
34 | Upstream-Status: Backport | ||
35 | CVE: CVE-2020-11008 (3) | ||
36 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
37 | --- | ||
38 | credential.c | 3 +-- | ||
39 | http.c | 1 + | ||
40 | t/t0300-credentials.sh | 17 +++++++++++++++++ | ||
41 | 3 files changed, 19 insertions(+), 2 deletions(-) | ||
42 | |||
43 | diff --git a/credential.c b/credential.c | ||
44 | index 2482382..f2413ce 100644 | ||
45 | --- a/credential.c | ||
46 | +++ b/credential.c | ||
47 | @@ -376,8 +376,7 @@ int credential_from_url_gently(struct credential *c, const char *url, | ||
48 | |||
49 | if (proto_end - url > 0) | ||
50 | c->protocol = xmemdupz(url, proto_end - url); | ||
51 | - if (slash - host > 0) | ||
52 | - c->host = url_decode_mem(host, slash - host); | ||
53 | + c->host = url_decode_mem(host, slash - host); | ||
54 | /* Trim leading and trailing slashes from path */ | ||
55 | while (*slash == '/') | ||
56 | slash++; | ||
57 | diff --git a/http.c b/http.c | ||
58 | index 27aa0a3..c4dfdac 100644 | ||
59 | --- a/http.c | ||
60 | +++ b/http.c | ||
61 | @@ -558,6 +558,7 @@ static int has_cert_password(void) | ||
62 | return 0; | ||
63 | if (!cert_auth.password) { | ||
64 | cert_auth.protocol = xstrdup("cert"); | ||
65 | + cert_auth.host = xstrdup(""); | ||
66 | cert_auth.username = xstrdup(""); | ||
67 | cert_auth.path = xstrdup(ssl_cert); | ||
68 | credential_fill(&cert_auth); | ||
69 | diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh | ||
70 | index f4c5d7f..1c1010b 100755 | ||
71 | --- a/t/t0300-credentials.sh | ||
72 | +++ b/t/t0300-credentials.sh | ||
73 | @@ -414,4 +414,21 @@ test_expect_success 'url parser ignores embedded newlines' ' | ||
74 | EOF | ||
75 | ' | ||
76 | |||
77 | +test_expect_success 'host-less URLs are parsed as empty host' ' | ||
78 | + check fill "verbatim foo bar" <<-\EOF | ||
79 | + url=cert:///path/to/cert.pem | ||
80 | + -- | ||
81 | + protocol=cert | ||
82 | + host= | ||
83 | + path=path/to/cert.pem | ||
84 | + username=foo | ||
85 | + password=bar | ||
86 | + -- | ||
87 | + verbatim: get | ||
88 | + verbatim: protocol=cert | ||
89 | + verbatim: host= | ||
90 | + verbatim: path=path/to/cert.pem | ||
91 | + EOF | ||
92 | +' | ||
93 | + | ||
94 | test_done | ||
95 | -- | ||
96 | 1.9.1 | ||
97 | |||