]>
Commit | Line | Data |
---|---|---|
35eb2d36 LT |
1 | #include "cache.h" |
2 | #include "quote.h" | |
d807c4a0 | 3 | #include "exec-cmd.h" |
0c696fe7 | 4 | #include "strbuf.h" |
e69164dd | 5 | #include "run-command.h" |
65b5f948 | 6 | #include "alias.h" |
08d383f2 | 7 | #include "prompt.h" |
35eb2d36 | 8 | |
2dbc887e | 9 | #define COMMAND_DIR "git-shell-commands" |
e69164dd | 10 | #define HELP_COMMAND COMMAND_DIR "/help" |
35297089 | 11 | #define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login" |
2dbc887e | 12 | |
35eb2d36 LT |
13 | static int do_generic_cmd(const char *me, char *arg) |
14 | { | |
15 | const char *my_argv[4]; | |
16 | ||
e1464ca7 | 17 | setup_path(); |
3ec80449 | 18 | if (!arg || !(arg = sq_dequote(arg)) || *arg == '-') |
35eb2d36 | 19 | die("bad argument"); |
ec6ee0c0 | 20 | if (!skip_prefix(me, "git-", &me)) |
77cb17e9 | 21 | die("bad command"); |
35eb2d36 | 22 | |
ec6ee0c0 | 23 | my_argv[0] = me; |
35eb2d36 LT |
24 | my_argv[1] = arg; |
25 | my_argv[2] = NULL; | |
26 | ||
9201c707 | 27 | return execv_git_cmd(my_argv); |
35eb2d36 LT |
28 | } |
29 | ||
2dbc887e GB |
30 | static int is_valid_cmd_name(const char *cmd) |
31 | { | |
32 | /* Test command contains no . or / characters */ | |
33 | return cmd[strcspn(cmd, "./")] == '\0'; | |
34 | } | |
35 | ||
36 | static char *make_cmd(const char *prog) | |
37 | { | |
b2724c87 | 38 | return xstrfmt("%s/%s", COMMAND_DIR, prog); |
2dbc887e GB |
39 | } |
40 | ||
41 | static void cd_to_homedir(void) | |
42 | { | |
43 | const char *home = getenv("HOME"); | |
44 | if (!home) | |
45 | die("could not determine user's home directory; HOME is unset"); | |
46 | if (chdir(home) == -1) | |
47 | die("could not chdir to user's home directory"); | |
48 | } | |
0c696fe7 | 49 | |
71ad7fe1 JK |
50 | #define MAX_INTERACTIVE_COMMAND (4*1024*1024) |
51 | ||
e69164dd GB |
52 | static void run_shell(void) |
53 | { | |
54 | int done = 0; | |
55 | static const char *help_argv[] = { HELP_COMMAND, NULL }; | |
35297089 JN |
56 | |
57 | if (!access(NOLOGIN_COMMAND, F_OK)) { | |
58 | /* Interactive login disabled. */ | |
59 | const char *argv[] = { NOLOGIN_COMMAND, NULL }; | |
60 | int status; | |
61 | ||
62 | status = run_command_v_opt(argv, 0); | |
63 | if (status < 0) | |
64 | exit(127); | |
65 | exit(status); | |
66 | } | |
67 | ||
e69164dd GB |
68 | /* Print help if enabled */ |
69 | run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE); | |
70 | ||
71 | do { | |
e69164dd GB |
72 | const char *prog; |
73 | char *full_cmd; | |
74 | char *rawargs; | |
71ad7fe1 | 75 | size_t len; |
9f29fe9a | 76 | char *split_args; |
e69164dd GB |
77 | const char **argv; |
78 | int code; | |
9f29fe9a | 79 | int count; |
e69164dd GB |
80 | |
81 | fprintf(stderr, "git> "); | |
71ad7fe1 JK |
82 | |
83 | /* | |
84 | * Avoid using a strbuf or git_read_line_interactively() here. | |
85 | * We don't want to allocate arbitrary amounts of memory on | |
86 | * behalf of a possibly untrusted client, and we're subject to | |
87 | * OS limits on command length anyway. | |
88 | */ | |
89 | fflush(stdout); | |
90 | rawargs = xmalloc(MAX_INTERACTIVE_COMMAND); | |
91 | if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) { | |
e69164dd | 92 | fprintf(stderr, "\n"); |
71ad7fe1 | 93 | free(rawargs); |
e69164dd GB |
94 | break; |
95 | } | |
71ad7fe1 JK |
96 | len = strlen(rawargs); |
97 | ||
98 | /* | |
99 | * If we truncated due to our input buffer size, reject the | |
100 | * command. That's better than running bogus input, and | |
101 | * there's a good chance it's just malicious garbage anyway. | |
102 | */ | |
103 | if (len >= MAX_INTERACTIVE_COMMAND - 1) | |
104 | die("invalid command format: input too long"); | |
105 | ||
106 | if (len > 0 && rawargs[len - 1] == '\n') { | |
107 | if (--len > 0 && rawargs[len - 1] == '\r') | |
108 | --len; | |
109 | rawargs[len] = '\0'; | |
110 | } | |
111 | ||
9f29fe9a GB |
112 | split_args = xstrdup(rawargs); |
113 | count = split_cmdline(split_args, &argv); | |
114 | if (count < 0) { | |
115 | fprintf(stderr, "invalid command format '%s': %s\n", rawargs, | |
116 | split_cmdline_strerror(count)); | |
117 | free(split_args); | |
e69164dd GB |
118 | free(rawargs); |
119 | continue; | |
120 | } | |
121 | ||
122 | prog = argv[0]; | |
123 | if (!strcmp(prog, "")) { | |
124 | } else if (!strcmp(prog, "quit") || !strcmp(prog, "logout") || | |
125 | !strcmp(prog, "exit") || !strcmp(prog, "bye")) { | |
126 | done = 1; | |
127 | } else if (is_valid_cmd_name(prog)) { | |
128 | full_cmd = make_cmd(prog); | |
129 | argv[0] = full_cmd; | |
130 | code = run_command_v_opt(argv, RUN_SILENT_EXEC_FAILURE); | |
131 | if (code == -1 && errno == ENOENT) { | |
132 | fprintf(stderr, "unrecognized command '%s'\n", prog); | |
133 | } | |
134 | free(full_cmd); | |
135 | } else { | |
136 | fprintf(stderr, "invalid command format '%s'\n", prog); | |
137 | } | |
138 | ||
139 | free(argv); | |
140 | free(rawargs); | |
141 | } while (!done); | |
142 | } | |
143 | ||
35eb2d36 LT |
144 | static struct commands { |
145 | const char *name; | |
146 | int (*exec)(const char *me, char *arg); | |
147 | } cmd_list[] = { | |
148 | { "git-receive-pack", do_generic_cmd }, | |
149 | { "git-upload-pack", do_generic_cmd }, | |
79f72b97 | 150 | { "git-upload-archive", do_generic_cmd }, |
35eb2d36 LT |
151 | { NULL }, |
152 | }; | |
153 | ||
3f2e2297 | 154 | int cmd_main(int argc, const char **argv) |
35eb2d36 LT |
155 | { |
156 | char *prog; | |
2dbc887e | 157 | const char **user_argv; |
35eb2d36 | 158 | struct commands *cmd; |
9f29fe9a | 159 | int count; |
0cfeed2e | 160 | |
bc7c73e2 JH |
161 | /* |
162 | * Special hack to pretend to be a CVS server | |
163 | */ | |
e69164dd | 164 | if (argc == 2 && !strcmp(argv[1], "cvs server")) { |
0c696fe7 | 165 | argv--; |
e69164dd GB |
166 | } else if (argc == 1) { |
167 | /* Allow the user to run an interactive shell */ | |
168 | cd_to_homedir(); | |
70256a3a RR |
169 | if (access(COMMAND_DIR, R_OK | X_OK) == -1) { |
170 | die("Interactive git shell is not enabled.\n" | |
171 | "hint: ~/" COMMAND_DIR " should exist " | |
172 | "and have read and execute access."); | |
173 | } | |
e69164dd GB |
174 | run_shell(); |
175 | exit(0); | |
176 | } else if (argc != 3 || strcmp(argv[1], "-c")) { | |
177 | /* | |
178 | * We do not accept any other modes except "-c" followed by | |
179 | * "cmd arg", where "cmd" is a very limited subset of git | |
180 | * commands or a command in the COMMAND_DIR | |
181 | */ | |
182 | die("Run with no arguments or with -c cmd"); | |
183 | } | |
35eb2d36 | 184 | |
2dbc887e | 185 | prog = xstrdup(argv[2]); |
bc7c73e2 JH |
186 | if (!strncmp(prog, "git", 3) && isspace(prog[3])) |
187 | /* Accept "git foo" as if the caller said "git-foo". */ | |
188 | prog[3] = '-'; | |
189 | ||
35eb2d36 LT |
190 | for (cmd = cmd_list ; cmd->name ; cmd++) { |
191 | int len = strlen(cmd->name); | |
192 | char *arg; | |
193 | if (strncmp(cmd->name, prog, len)) | |
194 | continue; | |
195 | arg = NULL; | |
196 | switch (prog[len]) { | |
197 | case '\0': | |
198 | arg = NULL; | |
199 | break; | |
200 | case ' ': | |
201 | arg = prog + len + 1; | |
202 | break; | |
203 | default: | |
204 | continue; | |
205 | } | |
338abb0f | 206 | return cmd->exec(cmd->name, arg); |
35eb2d36 | 207 | } |
2dbc887e GB |
208 | |
209 | cd_to_homedir(); | |
9f29fe9a GB |
210 | count = split_cmdline(prog, &user_argv); |
211 | if (count >= 0) { | |
2dbc887e GB |
212 | if (is_valid_cmd_name(user_argv[0])) { |
213 | prog = make_cmd(user_argv[0]); | |
214 | user_argv[0] = prog; | |
215 | execv(user_argv[0], (char *const *) user_argv); | |
216 | } | |
217 | free(prog); | |
218 | free(user_argv); | |
219 | die("unrecognized command '%s'", argv[2]); | |
220 | } else { | |
221 | free(prog); | |
9f29fe9a GB |
222 | die("invalid command format '%s': %s", argv[2], |
223 | split_cmdline_strerror(count)); | |
2dbc887e | 224 | } |
35eb2d36 | 225 | } |