]>
Commit | Line | Data |
---|---|---|
1 | #include "git-compat-util.h" | |
2 | #include "quote.h" | |
3 | #include "exec-cmd.h" | |
4 | #include "strbuf.h" | |
5 | #include "run-command.h" | |
6 | #include "alias.h" | |
7 | #include "prompt.h" | |
8 | ||
9 | #define COMMAND_DIR "git-shell-commands" | |
10 | #define HELP_COMMAND COMMAND_DIR "/help" | |
11 | #define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login" | |
12 | ||
13 | static int do_generic_cmd(const char *me, char *arg) | |
14 | { | |
15 | const char *my_argv[4]; | |
16 | ||
17 | setup_path(); | |
18 | if (!arg || !(arg = sq_dequote(arg)) || *arg == '-') | |
19 | die("bad argument"); | |
20 | if (!skip_prefix(me, "git-", &me)) | |
21 | die("bad command"); | |
22 | ||
23 | my_argv[0] = me; | |
24 | my_argv[1] = arg; | |
25 | my_argv[2] = NULL; | |
26 | ||
27 | return execv_git_cmd(my_argv); | |
28 | } | |
29 | ||
30 | static int is_valid_cmd_name(const char *cmd) | |
31 | { | |
32 | /* Test command contains no . or / characters */ | |
33 | return cmd[strcspn(cmd, "./")] == '\0'; | |
34 | } | |
35 | ||
36 | static char *make_cmd(const char *prog) | |
37 | { | |
38 | return xstrfmt("%s/%s", COMMAND_DIR, prog); | |
39 | } | |
40 | ||
41 | static void cd_to_homedir(void) | |
42 | { | |
43 | const char *home = getenv("HOME"); | |
44 | if (!home) | |
45 | die("could not determine user's home directory; HOME is unset"); | |
46 | if (chdir(home) == -1) | |
47 | die("could not chdir to user's home directory"); | |
48 | } | |
49 | ||
50 | #define MAX_INTERACTIVE_COMMAND (4*1024*1024) | |
51 | ||
52 | static void run_shell(void) | |
53 | { | |
54 | int done = 0; | |
55 | struct child_process help_cmd = CHILD_PROCESS_INIT; | |
56 | ||
57 | if (!access(NOLOGIN_COMMAND, F_OK)) { | |
58 | /* Interactive login disabled. */ | |
59 | struct child_process nologin_cmd = CHILD_PROCESS_INIT; | |
60 | int status; | |
61 | ||
62 | strvec_push(&nologin_cmd.args, NOLOGIN_COMMAND); | |
63 | status = run_command(&nologin_cmd); | |
64 | if (status < 0) | |
65 | exit(127); | |
66 | exit(status); | |
67 | } | |
68 | ||
69 | /* Print help if enabled */ | |
70 | help_cmd.silent_exec_failure = 1; | |
71 | strvec_push(&help_cmd.args, HELP_COMMAND); | |
72 | run_command(&help_cmd); | |
73 | ||
74 | do { | |
75 | const char *prog; | |
76 | char *full_cmd; | |
77 | char *rawargs; | |
78 | size_t len; | |
79 | char *split_args; | |
80 | const char **argv; | |
81 | int code; | |
82 | int count; | |
83 | ||
84 | fprintf(stderr, "git> "); | |
85 | ||
86 | /* | |
87 | * Avoid using a strbuf or git_read_line_interactively() here. | |
88 | * We don't want to allocate arbitrary amounts of memory on | |
89 | * behalf of a possibly untrusted client, and we're subject to | |
90 | * OS limits on command length anyway. | |
91 | */ | |
92 | fflush(stdout); | |
93 | rawargs = xmalloc(MAX_INTERACTIVE_COMMAND); | |
94 | if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) { | |
95 | fprintf(stderr, "\n"); | |
96 | free(rawargs); | |
97 | break; | |
98 | } | |
99 | len = strlen(rawargs); | |
100 | ||
101 | /* | |
102 | * If we truncated due to our input buffer size, reject the | |
103 | * command. That's better than running bogus input, and | |
104 | * there's a good chance it's just malicious garbage anyway. | |
105 | */ | |
106 | if (len >= MAX_INTERACTIVE_COMMAND - 1) | |
107 | die("invalid command format: input too long"); | |
108 | ||
109 | if (len > 0 && rawargs[len - 1] == '\n') { | |
110 | if (--len > 0 && rawargs[len - 1] == '\r') | |
111 | --len; | |
112 | rawargs[len] = '\0'; | |
113 | } | |
114 | ||
115 | split_args = xstrdup(rawargs); | |
116 | count = split_cmdline(split_args, &argv); | |
117 | if (count < 0) { | |
118 | fprintf(stderr, "invalid command format '%s': %s\n", rawargs, | |
119 | split_cmdline_strerror(count)); | |
120 | free(split_args); | |
121 | free(rawargs); | |
122 | continue; | |
123 | } | |
124 | ||
125 | prog = argv[0]; | |
126 | if (!strcmp(prog, "")) { | |
127 | } else if (!strcmp(prog, "quit") || !strcmp(prog, "logout") || | |
128 | !strcmp(prog, "exit") || !strcmp(prog, "bye")) { | |
129 | done = 1; | |
130 | } else if (is_valid_cmd_name(prog)) { | |
131 | struct child_process cmd = CHILD_PROCESS_INIT; | |
132 | ||
133 | full_cmd = make_cmd(prog); | |
134 | argv[0] = full_cmd; | |
135 | cmd.silent_exec_failure = 1; | |
136 | strvec_pushv(&cmd.args, argv); | |
137 | code = run_command(&cmd); | |
138 | if (code == -1 && errno == ENOENT) { | |
139 | fprintf(stderr, "unrecognized command '%s'\n", prog); | |
140 | } | |
141 | free(full_cmd); | |
142 | } else { | |
143 | fprintf(stderr, "invalid command format '%s'\n", prog); | |
144 | } | |
145 | ||
146 | free(argv); | |
147 | free(rawargs); | |
148 | } while (!done); | |
149 | } | |
150 | ||
151 | static struct commands { | |
152 | const char *name; | |
153 | int (*exec)(const char *me, char *arg); | |
154 | } cmd_list[] = { | |
155 | { "git-receive-pack", do_generic_cmd }, | |
156 | { "git-upload-pack", do_generic_cmd }, | |
157 | { "git-upload-archive", do_generic_cmd }, | |
158 | { NULL }, | |
159 | }; | |
160 | ||
161 | int cmd_main(int argc, const char **argv) | |
162 | { | |
163 | char *prog; | |
164 | const char **user_argv; | |
165 | struct commands *cmd; | |
166 | int count; | |
167 | ||
168 | /* | |
169 | * Special hack to pretend to be a CVS server | |
170 | */ | |
171 | if (argc == 2 && !strcmp(argv[1], "cvs server")) { | |
172 | argv--; | |
173 | } else if (argc == 1) { | |
174 | /* Allow the user to run an interactive shell */ | |
175 | cd_to_homedir(); | |
176 | if (access(COMMAND_DIR, R_OK | X_OK) == -1) { | |
177 | die("Interactive git shell is not enabled.\n" | |
178 | "hint: ~/" COMMAND_DIR " should exist " | |
179 | "and have read and execute access."); | |
180 | } | |
181 | run_shell(); | |
182 | exit(0); | |
183 | } else if (argc != 3 || strcmp(argv[1], "-c")) { | |
184 | /* | |
185 | * We do not accept any other modes except "-c" followed by | |
186 | * "cmd arg", where "cmd" is a very limited subset of git | |
187 | * commands or a command in the COMMAND_DIR | |
188 | */ | |
189 | die("Run with no arguments or with -c cmd"); | |
190 | } | |
191 | ||
192 | prog = xstrdup(argv[2]); | |
193 | if (!strncmp(prog, "git", 3) && isspace(prog[3])) | |
194 | /* Accept "git foo" as if the caller said "git-foo". */ | |
195 | prog[3] = '-'; | |
196 | ||
197 | for (cmd = cmd_list ; cmd->name ; cmd++) { | |
198 | int len = strlen(cmd->name); | |
199 | char *arg; | |
200 | if (strncmp(cmd->name, prog, len)) | |
201 | continue; | |
202 | arg = NULL; | |
203 | switch (prog[len]) { | |
204 | case '\0': | |
205 | arg = NULL; | |
206 | break; | |
207 | case ' ': | |
208 | arg = prog + len + 1; | |
209 | break; | |
210 | default: | |
211 | continue; | |
212 | } | |
213 | return cmd->exec(cmd->name, arg); | |
214 | } | |
215 | ||
216 | cd_to_homedir(); | |
217 | count = split_cmdline(prog, &user_argv); | |
218 | if (count >= 0) { | |
219 | if (is_valid_cmd_name(user_argv[0])) { | |
220 | prog = make_cmd(user_argv[0]); | |
221 | user_argv[0] = prog; | |
222 | execv(user_argv[0], (char *const *) user_argv); | |
223 | } | |
224 | free(prog); | |
225 | free(user_argv); | |
226 | die("unrecognized command '%s'", argv[2]); | |
227 | } else { | |
228 | free(prog); | |
229 | die("invalid command format '%s': %s", argv[2], | |
230 | split_cmdline_strerror(count)); | |
231 | } | |
232 | } |