git.ipfire.org Git - thirdparty/git.git/commit

author	Jeff King <peff@peff.net>
	Wed, 11 Mar 2020 21:53:41 +0000 (17:53 -0400)
committer	Jeff King <peff@peff.net>
	Thu, 12 Mar 2020 06:55:16 +0000 (02:55 -0400)
commit	9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
tree	69d12720e68f9cba226bf4ffcc0ca3a668de2c72	tree \| snapshot
parent	a5ab8d03173458b76b8452efd90a7173f490c132	commit \| diff

credential: avoid writing values with newlines

The credential protocol that we use to speak to helpers can't represent
values with newlines in them. This was an intentional design choice to
keep the protocol simple, since none of the values we pass should
generally have newlines.

However, if we _do_ encounter a newline in a value, we blindly transmit
it in credential_write(). Such values may break the protocol syntax, or
worse, inject new valid lines into the protocol stream.

The most likely way for a newline to end up in a credential struct is by
decoding a URL with a percent-encoded newline. However, since the bug
occurs at the moment we write the value to the protocol, we'll catch it
there. That should leave no possibility of accidentally missing a code
path that can trigger the problem.

At this level of the code we have little choice but to die(). However,
since we'd not ever expect to see this case outside of a malicious URL,
that's an acceptable outcome.

Reported-by: Felix Wilhelm <fwilhelm@google.com>

credential.c		diff \| blob \| blame \| history
t/t0300-credentials.sh		diff \| blob \| blame \| history