[thirdparty/git.git] / shell.c

#include "cache.h"
#include "quote.h"
#include "exec-cmd.h"
#include "strbuf.h"
#include "run-command.h"
#include "alias.h"
#include "prompt.h"

#define COMMAND_DIR "git-shell-commands"
#define HELP_COMMAND COMMAND_DIR "/help"
#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"

static int do_generic_cmd(const char *me, char *arg)
{
	const char *my_argv[4];

	setup_path();
	if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
		die("bad argument");
	if (!skip_prefix(me, "git-", &me))
		die("bad command");

	my_argv[0] = me;
	my_argv[1] = arg;
	my_argv[2] = NULL;

	return execv_git_cmd(my_argv);
}

static int is_valid_cmd_name(const char *cmd)
{
	/* Test command contains no . or / characters */
	return cmd[strcspn(cmd, "./")] == '\0';
}

static char *make_cmd(const char *prog)
{
	return xstrfmt("%s/%s", COMMAND_DIR, prog);
}

static void cd_to_homedir(void)
{
	const char *home = getenv("HOME");
	if (!home)
		die("could not determine user's home directory; HOME is unset");
	if (chdir(home) == -1)
		die("could not chdir to user's home directory");
}

#define MAX_INTERACTIVE_COMMAND (4*1024*1024)

static void run_shell(void)
{
	int done = 0;
	static const char *help_argv[] = { HELP_COMMAND, NULL };

	if (!access(NOLOGIN_COMMAND, F_OK)) {
		/* Interactive login disabled. */
		const char *argv[] = { NOLOGIN_COMMAND, NULL };
		int status;

		status = run_command_v_opt(argv, 0);
		if (status < 0)
			exit(127);
		exit(status);
	}

	/* Print help if enabled */
	run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE);

	do {
		const char *prog;
		char *full_cmd;
		char *rawargs;
		size_t len;
		char *split_args;
		const char **argv;
		int code;
		int count;

		fprintf(stderr, "git> ");

		/*
		 * Avoid using a strbuf or git_read_line_interactively() here.
		 * We don't want to allocate arbitrary amounts of memory on
		 * behalf of a possibly untrusted client, and we're subject to
		 * OS limits on command length anyway.
		 */
		fflush(stdout);
		rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
		if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
			fprintf(stderr, "\n");
			free(rawargs);
			break;
		}
		len = strlen(rawargs);

		/*
		 * If we truncated due to our input buffer size, reject the
		 * command. That's better than running bogus input, and
		 * there's a good chance it's just malicious garbage anyway.
		 */
		if (len >= MAX_INTERACTIVE_COMMAND - 1)
			die("invalid command format: input too long");

		if (len > 0 && rawargs[len - 1] == '\n') {
			if (--len > 0 && rawargs[len - 1] == '\r')
				--len;
			rawargs[len] = '\0';
		}

		split_args = xstrdup(rawargs);
		count = split_cmdline(split_args, &argv);
		if (count < 0) {
			fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
				split_cmdline_strerror(count));
			free(split_args);
			free(rawargs);
			continue;
		}

		prog = argv[0];
		if (!strcmp(prog, "")) {
		} else if (!strcmp(prog, "quit") || !strcmp(prog, "logout") ||
			   !strcmp(prog, "exit") || !strcmp(prog, "bye")) {
			done = 1;
		} else if (is_valid_cmd_name(prog)) {
			full_cmd = make_cmd(prog);
			argv[0] = full_cmd;
			code = run_command_v_opt(argv, RUN_SILENT_EXEC_FAILURE);
			if (code == -1 && errno == ENOENT) {
				fprintf(stderr, "unrecognized command '%s'\n", prog);
			}
			free(full_cmd);
		} else {
			fprintf(stderr, "invalid command format '%s'\n", prog);
		}

		free(argv);
		free(rawargs);
	} while (!done);
}

static struct commands {
	const char *name;
	int (*exec)(const char *me, char *arg);
} cmd_list[] = {
	{ "git-receive-pack", do_generic_cmd },
	{ "git-upload-pack", do_generic_cmd },
	{ "git-upload-archive", do_generic_cmd },
	{ NULL },
};

int cmd_main(int argc, const char **argv)
{
	char *prog;
	const char **user_argv;
	struct commands *cmd;
	int count;

	/*
	 * Special hack to pretend to be a CVS server
	 */
	if (argc == 2 && !strcmp(argv[1], "cvs server")) {
		argv--;
	} else if (argc == 1) {
		/* Allow the user to run an interactive shell */
		cd_to_homedir();
		if (access(COMMAND_DIR, R_OK | X_OK) == -1) {
			die("Interactive git shell is not enabled.\n"
			    "hint: ~/" COMMAND_DIR " should exist "
			    "and have read and execute access.");
		}
		run_shell();
		exit(0);
	} else if (argc != 3 || strcmp(argv[1], "-c")) {
		/*
		 * We do not accept any other modes except "-c" followed by
		 * "cmd arg", where "cmd" is a very limited subset of git
		 * commands or a command in the COMMAND_DIR
		 */
		die("Run with no arguments or with -c cmd");
	}

	prog = xstrdup(argv[2]);
	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
		/* Accept "git foo" as if the caller said "git-foo". */
		prog[3] = '-';

	for (cmd = cmd_list ; cmd->name ; cmd++) {
		int len = strlen(cmd->name);
		char *arg;
		if (strncmp(cmd->name, prog, len))
			continue;
		arg = NULL;
		switch (prog[len]) {
		case '\0':
			arg = NULL;
			break;
		case ' ':
			arg = prog + len + 1;
			break;
		default:
			continue;
		}
		exit(cmd->exec(cmd->name, arg));
	}

	cd_to_homedir();
	count = split_cmdline(prog, &user_argv);
	if (count >= 0) {
		if (is_valid_cmd_name(user_argv[0])) {
			prog = make_cmd(user_argv[0]);
			user_argv[0] = prog;
			execv(user_argv[0], (char *const *) user_argv);
		}
		free(prog);
		free(user_argv);
		die("unrecognized command '%s'", argv[2]);
	} else {
		free(prog);
		die("invalid command format '%s': %s", argv[2],
		    split_cmdline_strerror(count));
	}
}
Commit	Line	Data
35eb2d36 LT	1	#include "cache.h"
35eb2d36 LT	2	#include "quote.h"
d807c4a0	3	#include "exec-cmd.h"
0c696fe7	4	#include "strbuf.h"
e69164dd	5	#include "run-command.h"
65b5f948	6	#include "alias.h"
08d383f2	7	#include "prompt.h"
35eb2d36	8
2dbc887e	9	#define COMMAND_DIR "git-shell-commands"
e69164dd	10	#define HELP_COMMAND COMMAND_DIR "/help"
35297089	11	#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"
2dbc887e	12
35eb2d36 LT	13	static int do_generic_cmd(const char me, char arg)
	14	{
	15	const char *my_argv[4];
	16
e1464ca7	17	setup_path();
3ec80449	18	if (!arg \|\| !(arg = sq_dequote(arg)) \|\| *arg == '-')
35eb2d36	19	die("bad argument");
ec6ee0c0	20	if (!skip_prefix(me, "git-", &me))
77cb17e9	21	die("bad command");
35eb2d36	22
ec6ee0c0	23	my_argv[0] = me;
35eb2d36 LT	24	my_argv[1] = arg;
	25	my_argv[2] = NULL;
	26
9201c707	27	return execv_git_cmd(my_argv);
35eb2d36 LT	28	}
35eb2d36 LT	29
2dbc887e GB	30	static int is_valid_cmd_name(const char *cmd)
	31	{
	32	/* Test command contains no . or / characters */
	33	return cmd[strcspn(cmd, "./")] == '\0';
	34	}
	35
	36	static char make_cmd(const char prog)
	37	{
b2724c87	38	return xstrfmt("%s/%s", COMMAND_DIR, prog);
2dbc887e GB	39	}
	40
	41	static void cd_to_homedir(void)
	42	{
	43	const char *home = getenv("HOME");
	44	if (!home)
	45	die("could not determine user's home directory; HOME is unset");
	46	if (chdir(home) == -1)
	47	die("could not chdir to user's home directory");
	48	}
0c696fe7	49
71ad7fe1 JK	50	#define MAX_INTERACTIVE_COMMAND (410241024)
71ad7fe1 JK	51
e69164dd GB	52	static void run_shell(void)
	53	{
	54	int done = 0;
	55	static const char *help_argv[] = { HELP_COMMAND, NULL };
35297089 JN	56
	57	if (!access(NOLOGIN_COMMAND, F_OK)) {
	58	/* Interactive login disabled. */
	59	const char *argv[] = { NOLOGIN_COMMAND, NULL };
	60	int status;
	61
	62	status = run_command_v_opt(argv, 0);
	63	if (status < 0)
	64	exit(127);
	65	exit(status);
	66	}
	67
e69164dd GB	68	/* Print help if enabled */
	69	run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE);
	70
	71	do {
e69164dd GB	72	const char *prog;
	73	char *full_cmd;
	74	char *rawargs;
71ad7fe1	75	size_t len;
9f29fe9a	76	char *split_args;
e69164dd GB	77	const char **argv;
e69164dd GB	78	int code;
9f29fe9a	79	int count;
e69164dd GB	80
e69164dd GB	81	fprintf(stderr, "git> ");
71ad7fe1 JK	82
	83	/*
	84	* Avoid using a strbuf or git_read_line_interactively() here.
	85	* We don't want to allocate arbitrary amounts of memory on
	86	* behalf of a possibly untrusted client, and we're subject to
	87	* OS limits on command length anyway.
	88	*/
	89	fflush(stdout);
	90	rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
	91	if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
e69164dd	92	fprintf(stderr, "\n");
71ad7fe1	93	free(rawargs);
e69164dd GB	94	break;
e69164dd GB	95	}
71ad7fe1 JK	96	len = strlen(rawargs);
	97
	98	/*
	99	* If we truncated due to our input buffer size, reject the
	100	* command. That's better than running bogus input, and
	101	* there's a good chance it's just malicious garbage anyway.
	102	*/
	103	if (len >= MAX_INTERACTIVE_COMMAND - 1)
	104	die("invalid command format: input too long");
	105
	106	if (len > 0 && rawargs[len - 1] == '\n') {
	107	if (--len > 0 && rawargs[len - 1] == '\r')
	108	--len;
	109	rawargs[len] = '\0';
	110	}
	111
9f29fe9a GB	112	split_args = xstrdup(rawargs);
	113	count = split_cmdline(split_args, &argv);
	114	if (count < 0) {
	115	fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
	116	split_cmdline_strerror(count));
	117	free(split_args);
e69164dd GB	118	free(rawargs);
	119	continue;
	120	}
	121
	122	prog = argv[0];
	123	if (!strcmp(prog, "")) {
	124	} else if (!strcmp(prog, "quit") \|\| !strcmp(prog, "logout") \|\|
	125	!strcmp(prog, "exit") \|\| !strcmp(prog, "bye")) {
	126	done = 1;
	127	} else if (is_valid_cmd_name(prog)) {
	128	full_cmd = make_cmd(prog);
	129	argv[0] = full_cmd;
	130	code = run_command_v_opt(argv, RUN_SILENT_EXEC_FAILURE);
	131	if (code == -1 && errno == ENOENT) {
	132	fprintf(stderr, "unrecognized command '%s'\n", prog);
	133	}
	134	free(full_cmd);
	135	} else {
	136	fprintf(stderr, "invalid command format '%s'\n", prog);
	137	}
	138
	139	free(argv);
	140	free(rawargs);
	141	} while (!done);
	142	}
	143
35eb2d36 LT	144	static struct commands {
	145	const char *name;
	146	int (exec)(const char me, char *arg);
	147	} cmd_list[] = {
	148	{ "git-receive-pack", do_generic_cmd },
	149	{ "git-upload-pack", do_generic_cmd },
79f72b97	150	{ "git-upload-archive", do_generic_cmd },
35eb2d36 LT	151	{ NULL },
	152	};
	153
3f2e2297	154	int cmd_main(int argc, const char **argv)
35eb2d36 LT	155	{
35eb2d36 LT	156	char *prog;
2dbc887e	157	const char **user_argv;
35eb2d36	158	struct commands *cmd;
9f29fe9a	159	int count;
0cfeed2e	160
bc7c73e2 JH	161	/*
	162	* Special hack to pretend to be a CVS server
	163	*/
e69164dd	164	if (argc == 2 && !strcmp(argv[1], "cvs server")) {
0c696fe7	165	argv--;
e69164dd GB	166	} else if (argc == 1) {
	167	/* Allow the user to run an interactive shell */
	168	cd_to_homedir();
70256a3a RR	169	if (access(COMMAND_DIR, R_OK \| X_OK) == -1) {
	170	die("Interactive git shell is not enabled.\n"
	171	"hint: ~/" COMMAND_DIR " should exist "
	172	"and have read and execute access.");
	173	}
e69164dd GB	174	run_shell();
	175	exit(0);
	176	} else if (argc != 3 \|\| strcmp(argv[1], "-c")) {
	177	/*
	178	* We do not accept any other modes except "-c" followed by
	179	* "cmd arg", where "cmd" is a very limited subset of git
	180	* commands or a command in the COMMAND_DIR
	181	*/
	182	die("Run with no arguments or with -c cmd");
	183	}
35eb2d36	184
2dbc887e	185	prog = xstrdup(argv[2]);
bc7c73e2 JH	186	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
	187	/* Accept "git foo" as if the caller said "git-foo". */
	188	prog[3] = '-';
	189
35eb2d36 LT	190	for (cmd = cmd_list ; cmd->name ; cmd++) {
	191	int len = strlen(cmd->name);
	192	char *arg;
	193	if (strncmp(cmd->name, prog, len))
	194	continue;
	195	arg = NULL;
	196	switch (prog[len]) {
	197	case '\0':
	198	arg = NULL;
	199	break;
	200	case ' ':
	201	arg = prog + len + 1;
	202	break;
	203	default:
	204	continue;
	205	}
	206	exit(cmd->exec(cmd->name, arg));
	207	}
2dbc887e GB	208
2dbc887e GB	209	cd_to_homedir();
9f29fe9a GB	210	count = split_cmdline(prog, &user_argv);
9f29fe9a GB	211	if (count >= 0) {
2dbc887e GB	212	if (is_valid_cmd_name(user_argv[0])) {
	213	prog = make_cmd(user_argv[0]);
	214	user_argv[0] = prog;
	215	execv(user_argv[0], (char const ) user_argv);
	216	}
	217	free(prog);
	218	free(user_argv);
	219	die("unrecognized command '%s'", argv[2]);
	220	} else {
	221	free(prog);
9f29fe9a GB	222	die("invalid command format '%s': %s", argv[2],
9f29fe9a GB	223	split_cmdline_strerror(count));
2dbc887e	224	}
35eb2d36	225	}