diff options
Diffstat (limited to 'meta/recipes-devtools/git/git/CVE-2020-11008-6.patch')
-rw-r--r-- | meta/recipes-devtools/git/git/CVE-2020-11008-6.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch new file mode 100644 index 0000000000..6b36893030 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2020-11008-6.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 883508bcebe87fbe7fb7392272e930c27c30fdc2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeff King <peff@peff.net> | ||
3 | Date: Sat, 18 Apr 2020 20:53:09 -0700 | ||
4 | Subject: [PATCH 09/12] credential: die() when parsing invalid urls | ||
5 | |||
6 | When we try to initialize credential loading by URL and find that the | ||
7 | URL is invalid, we set all fields to NULL in order to avoid acting on | ||
8 | malicious input. Later when we request credentials, we diagonse the | ||
9 | erroneous input: | ||
10 | |||
11 | fatal: refusing to work with credential missing host field | ||
12 | |||
13 | This is problematic in two ways: | ||
14 | |||
15 | - The message doesn't tell the user *why* we are missing the host | ||
16 | field, so they can't tell from this message alone how to recover. | ||
17 | There can be intervening messages after the original warning of | ||
18 | bad input, so the user may not have the context to put two and two | ||
19 | together. | ||
20 | |||
21 | - The error only occurs when we actually need to get a credential. If | ||
22 | the URL permits anonymous access, the only encouragement the user gets | ||
23 | to correct their bogus URL is a quiet warning. | ||
24 | |||
25 | This is inconsistent with the check we perform in fsck, where any use | ||
26 | of such a URL as a submodule is an error. | ||
27 | |||
28 | When we see such a bogus URL, let's not try to be nice and continue | ||
29 | without helpers. Instead, die() immediately. This is simpler and | ||
30 | obviously safe. And there's very little chance of disrupting a normal | ||
31 | workflow. | ||
32 | |||
33 | It's _possible_ that somebody has a legitimate URL with a raw newline in | ||
34 | it. It already wouldn't work with credential helpers, so this patch | ||
35 | steps that up from an inconvenience to "we will refuse to work with it | ||
36 | at all". If such a case does exist, we should figure out a way to work | ||
37 | with it (especially if the newline is only in the path component, which | ||
38 | we normally don't even pass to helpers). But until we see a real report, | ||
39 | we're better off being defensive. | ||
40 | |||
41 | Reported-by: Carlo Arenas <carenas@gmail.com> | ||
42 | Signed-off-by: Jeff King <peff@peff.net> | ||
43 | Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> | ||
44 | |||
45 | Upstream-Status: Backport | ||
46 | CVE: CVE-2020-11008 (6) | ||
47 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
48 | --- | ||
49 | credential.c | 6 ++---- | ||
50 | t/t0300-credentials.sh | 3 +-- | ||
51 | 2 files changed, 3 insertions(+), 6 deletions(-) | ||
52 | |||
53 | diff --git a/credential.c b/credential.c | ||
54 | index e08ed84..22649d5 100644 | ||
55 | --- a/credential.c | ||
56 | +++ b/credential.c | ||
57 | @@ -408,8 +408,6 @@ int credential_from_url_gently(struct credential *c, const char *url, | ||
58 | |||
59 | void credential_from_url(struct credential *c, const char *url) | ||
60 | { | ||
61 | - if (credential_from_url_gently(c, url, 0) < 0) { | ||
62 | - warning(_("skipping credential lookup for url: %s"), url); | ||
63 | - credential_clear(c); | ||
64 | - } | ||
65 | + if (credential_from_url_gently(c, url, 0) < 0) | ||
66 | + die(_("credential url cannot be parsed: %s"), url); | ||
67 | } | ||
68 | diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh | ||
69 | index 646f845..efed3ea 100755 | ||
70 | --- a/t/t0300-credentials.sh | ||
71 | +++ b/t/t0300-credentials.sh | ||
72 | @@ -406,8 +406,7 @@ test_expect_success 'url parser rejects embedded newlines' ' | ||
73 | EOF | ||
74 | cat >expect <<-\EOF && | ||
75 | warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/ | ||
76 | - warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/ | ||
77 | - fatal: refusing to work with credential missing host field | ||
78 | + fatal: credential url cannot be parsed: https://one.example.com?%0ahost=two.example.com/ | ||
79 | EOF | ||
80 | test_i18ncmp expect stderr | ||
81 | ' | ||
82 | -- | ||
83 | 1.9.1 | ||
84 | |||