[thirdparty/git.git] / shell.c

#include "git-compat-util.h"
#include "quote.h"
#include "exec-cmd.h"
#include "strbuf.h"
#include "run-command.h"
#include "alias.h"

#define COMMAND_DIR "git-shell-commands"
#define HELP_COMMAND COMMAND_DIR "/help"
#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"

static int do_generic_cmd(const char *me, char *arg)
{
	const char *my_argv[4];

	setup_path();
	if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
		die("bad argument");
	if (!skip_prefix(me, "git-", &me))
		die("bad command");

	my_argv[0] = me;
	my_argv[1] = arg;
	my_argv[2] = NULL;

	return execv_git_cmd(my_argv);
}

static int is_valid_cmd_name(const char *cmd)
{
	/* Test command contains no . or / characters */
	return cmd[strcspn(cmd, "./")] == '\0';
}

static char *make_cmd(const char *prog)
{
	return xstrfmt("%s/%s", COMMAND_DIR, prog);
}

static void cd_to_homedir(void)
{
	const char *home = getenv("HOME");
	if (!home)
		die("could not determine user's home directory; HOME is unset");
	if (chdir(home) == -1)
		die("could not chdir to user's home directory");
}

#define MAX_INTERACTIVE_COMMAND (4*1024*1024)

static void run_shell(void)
{
	int done = 0;
	struct child_process help_cmd = CHILD_PROCESS_INIT;

	if (!access(NOLOGIN_COMMAND, F_OK)) {
		/* Interactive login disabled. */
		struct child_process nologin_cmd = CHILD_PROCESS_INIT;
		int status;

		strvec_push(&nologin_cmd.args, NOLOGIN_COMMAND);
		status = run_command(&nologin_cmd);
		if (status < 0)
			exit(127);
		exit(status);
	}

	/* Print help if enabled */
	help_cmd.silent_exec_failure = 1;
	strvec_push(&help_cmd.args, HELP_COMMAND);
	run_command(&help_cmd);

	do {
		const char *prog;
		char *full_cmd;
		char *rawargs;
		size_t len;
		char *split_args;
		const char **argv;
		int code;
		int count;

		fprintf(stderr, "git> ");

		/*
		 * Avoid using a strbuf or git_read_line_interactively() here.
		 * We don't want to allocate arbitrary amounts of memory on
		 * behalf of a possibly untrusted client, and we're subject to
		 * OS limits on command length anyway.
		 */
		fflush(stdout);
		rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
		if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
			fprintf(stderr, "\n");
			free(rawargs);
			break;
		}
		len = strlen(rawargs);

		/*
		 * If we truncated due to our input buffer size, reject the
		 * command. That's better than running bogus input, and
		 * there's a good chance it's just malicious garbage anyway.
		 */
		if (len >= MAX_INTERACTIVE_COMMAND - 1)
			die("invalid command format: input too long");

		if (len > 0 && rawargs[len - 1] == '\n') {
			if (--len > 0 && rawargs[len - 1] == '\r')
				--len;
			rawargs[len] = '\0';
		}

		split_args = xstrdup(rawargs);
		count = split_cmdline(split_args, &argv);
		if (count < 0) {
			fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
				split_cmdline_strerror(count));
			free(split_args);
			free(rawargs);
			continue;
		}

		prog = argv[0];
		if (!strcmp(prog, "")) {
		} else if (!strcmp(prog, "quit") || !strcmp(prog, "logout") ||
			   !strcmp(prog, "exit") || !strcmp(prog, "bye")) {
			done = 1;
		} else if (is_valid_cmd_name(prog)) {
			struct child_process cmd = CHILD_PROCESS_INIT;

			full_cmd = make_cmd(prog);
			argv[0] = full_cmd;
			cmd.silent_exec_failure = 1;
			strvec_pushv(&cmd.args, argv);
			code = run_command(&cmd);
			if (code == -1 && errno == ENOENT) {
				fprintf(stderr, "unrecognized command '%s'\n", prog);
			}
			free(full_cmd);
		} else {
			fprintf(stderr, "invalid command format '%s'\n", prog);
		}

		free(argv);
		free(rawargs);
	} while (!done);
}

static struct commands {
	const char *name;
	int (*exec)(const char *me, char *arg);
} cmd_list[] = {
	{ "git-receive-pack", do_generic_cmd },
	{ "git-upload-pack", do_generic_cmd },
	{ "git-upload-archive", do_generic_cmd },
	{ NULL },
};

int cmd_main(int argc, const char **argv)
{
	char *prog;
	const char **user_argv;
	struct commands *cmd;
	int count;

	/*
	 * Special hack to pretend to be a CVS server
	 */
	if (argc == 2 && !strcmp(argv[1], "cvs server")) {
		argv--;
	} else if (argc == 1) {
		/* Allow the user to run an interactive shell */
		cd_to_homedir();
		if (access(COMMAND_DIR, R_OK | X_OK) == -1) {
			die("Interactive git shell is not enabled.\n"
			    "hint: ~/" COMMAND_DIR " should exist "
			    "and have read and execute access.");
		}
		run_shell();
		exit(0);
	} else if (argc != 3 || strcmp(argv[1], "-c")) {
		/*
		 * We do not accept any other modes except "-c" followed by
		 * "cmd arg", where "cmd" is a very limited subset of git
		 * commands or a command in the COMMAND_DIR
		 */
		die("Run with no arguments or with -c cmd");
	}

	prog = xstrdup(argv[2]);
	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
		/* Accept "git foo" as if the caller said "git-foo". */
		prog[3] = '-';

	for (cmd = cmd_list ; cmd->name ; cmd++) {
		int len = strlen(cmd->name);
		char *arg;
		if (strncmp(cmd->name, prog, len))
			continue;
		arg = NULL;
		switch (prog[len]) {
		case '\0':
			arg = NULL;
			break;
		case ' ':
			arg = prog + len + 1;
			break;
		default:
			continue;
		}
		return cmd->exec(cmd->name, arg);
	}

	cd_to_homedir();
	count = split_cmdline(prog, &user_argv);
	if (count >= 0) {
		if (is_valid_cmd_name(user_argv[0])) {
			prog = make_cmd(user_argv[0]);
			user_argv[0] = prog;
			execv(user_argv[0], (char *const *) user_argv);
		}
		free(prog);
		free(user_argv);
		die("unrecognized command '%s'", argv[2]);
	} else {
		free(prog);
		die("invalid command format '%s': %s", argv[2],
		    split_cmdline_strerror(count));
	}
}
Commit	Line	Data
15db4e7f	1	#include "git-compat-util.h"
35eb2d36	2	#include "quote.h"
d807c4a0	3	#include "exec-cmd.h"
0c696fe7	4	#include "strbuf.h"
e69164dd	5	#include "run-command.h"
65b5f948	6	#include "alias.h"
35eb2d36	7
2dbc887e	8	#define COMMAND_DIR "git-shell-commands"
e69164dd	9	#define HELP_COMMAND COMMAND_DIR "/help"
35297089	10	#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"
2dbc887e	11
35eb2d36 LT	12	static int do_generic_cmd(const char me, char arg)
	13	{
	14	const char *my_argv[4];
	15
e1464ca7	16	setup_path();
3ec80449	17	if (!arg \|\| !(arg = sq_dequote(arg)) \|\| *arg == '-')
35eb2d36	18	die("bad argument");
ec6ee0c0	19	if (!skip_prefix(me, "git-", &me))
77cb17e9	20	die("bad command");
35eb2d36	21
ec6ee0c0	22	my_argv[0] = me;
35eb2d36 LT	23	my_argv[1] = arg;
	24	my_argv[2] = NULL;
	25
9201c707	26	return execv_git_cmd(my_argv);
35eb2d36 LT	27	}
35eb2d36 LT	28
2dbc887e GB	29	static int is_valid_cmd_name(const char *cmd)
	30	{
	31	/* Test command contains no . or / characters */
	32	return cmd[strcspn(cmd, "./")] == '\0';
	33	}
	34
	35	static char make_cmd(const char prog)
	36	{
b2724c87	37	return xstrfmt("%s/%s", COMMAND_DIR, prog);
2dbc887e GB	38	}
	39
	40	static void cd_to_homedir(void)
	41	{
	42	const char *home = getenv("HOME");
	43	if (!home)
	44	die("could not determine user's home directory; HOME is unset");
	45	if (chdir(home) == -1)
	46	die("could not chdir to user's home directory");
	47	}
0c696fe7	48
71ad7fe1 JK	49	#define MAX_INTERACTIVE_COMMAND (410241024)
71ad7fe1 JK	50
e69164dd GB	51	static void run_shell(void)
	52	{
	53	int done = 0;
ddbb47fd	54	struct child_process help_cmd = CHILD_PROCESS_INIT;
35297089 JN	55
	56	if (!access(NOLOGIN_COMMAND, F_OK)) {
	57	/* Interactive login disabled. */
ddbb47fd	58	struct child_process nologin_cmd = CHILD_PROCESS_INIT;
35297089 JN	59	int status;
35297089 JN	60
ddbb47fd RS	61	strvec_push(&nologin_cmd.args, NOLOGIN_COMMAND);
ddbb47fd RS	62	status = run_command(&nologin_cmd);
35297089 JN	63	if (status < 0)
	64	exit(127);
	65	exit(status);
	66	}
	67
e69164dd	68	/* Print help if enabled */
ddbb47fd RS	69	help_cmd.silent_exec_failure = 1;
	70	strvec_push(&help_cmd.args, HELP_COMMAND);
	71	run_command(&help_cmd);
e69164dd GB	72
e69164dd GB	73	do {
e69164dd GB	74	const char *prog;
	75	char *full_cmd;
	76	char *rawargs;
71ad7fe1	77	size_t len;
9f29fe9a	78	char *split_args;
e69164dd GB	79	const char **argv;
e69164dd GB	80	int code;
9f29fe9a	81	int count;
e69164dd GB	82
e69164dd GB	83	fprintf(stderr, "git> ");
71ad7fe1 JK	84
	85	/*
	86	* Avoid using a strbuf or git_read_line_interactively() here.
	87	* We don't want to allocate arbitrary amounts of memory on
	88	* behalf of a possibly untrusted client, and we're subject to
	89	* OS limits on command length anyway.
	90	*/
	91	fflush(stdout);
	92	rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
	93	if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
e69164dd	94	fprintf(stderr, "\n");
71ad7fe1	95	free(rawargs);
e69164dd GB	96	break;
e69164dd GB	97	}
71ad7fe1 JK	98	len = strlen(rawargs);
	99
	100	/*
	101	* If we truncated due to our input buffer size, reject the
	102	* command. That's better than running bogus input, and
	103	* there's a good chance it's just malicious garbage anyway.
	104	*/
	105	if (len >= MAX_INTERACTIVE_COMMAND - 1)
	106	die("invalid command format: input too long");
	107
	108	if (len > 0 && rawargs[len - 1] == '\n') {
	109	if (--len > 0 && rawargs[len - 1] == '\r')
	110	--len;
	111	rawargs[len] = '\0';
	112	}
	113
9f29fe9a GB	114	split_args = xstrdup(rawargs);
	115	count = split_cmdline(split_args, &argv);
	116	if (count < 0) {
	117	fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
	118	split_cmdline_strerror(count));
	119	free(split_args);
e69164dd GB	120	free(rawargs);
	121	continue;
	122	}
	123
	124	prog = argv[0];
	125	if (!strcmp(prog, "")) {
	126	} else if (!strcmp(prog, "quit") \|\| !strcmp(prog, "logout") \|\|
	127	!strcmp(prog, "exit") \|\| !strcmp(prog, "bye")) {
	128	done = 1;
	129	} else if (is_valid_cmd_name(prog)) {
ddbb47fd RS	130	struct child_process cmd = CHILD_PROCESS_INIT;
ddbb47fd RS	131
e69164dd GB	132	full_cmd = make_cmd(prog);
e69164dd GB	133	argv[0] = full_cmd;
ddbb47fd RS	134	cmd.silent_exec_failure = 1;
	135	strvec_pushv(&cmd.args, argv);
	136	code = run_command(&cmd);
e69164dd GB	137	if (code == -1 && errno == ENOENT) {
	138	fprintf(stderr, "unrecognized command '%s'\n", prog);
	139	}
	140	free(full_cmd);
	141	} else {
	142	fprintf(stderr, "invalid command format '%s'\n", prog);
	143	}
	144
	145	free(argv);
	146	free(rawargs);
	147	} while (!done);
	148	}
	149
35eb2d36 LT	150	static struct commands {
	151	const char *name;
	152	int (exec)(const char me, char *arg);
	153	} cmd_list[] = {
	154	{ "git-receive-pack", do_generic_cmd },
	155	{ "git-upload-pack", do_generic_cmd },
79f72b97	156	{ "git-upload-archive", do_generic_cmd },
35eb2d36 LT	157	{ NULL },
	158	};
	159
3f2e2297	160	int cmd_main(int argc, const char **argv)
35eb2d36 LT	161	{
35eb2d36 LT	162	char *prog;
2dbc887e	163	const char **user_argv;
35eb2d36	164	struct commands *cmd;
9f29fe9a	165	int count;
0cfeed2e	166
bc7c73e2 JH	167	/*
	168	* Special hack to pretend to be a CVS server
	169	*/
e69164dd	170	if (argc == 2 && !strcmp(argv[1], "cvs server")) {
0c696fe7	171	argv--;
e69164dd GB	172	} else if (argc == 1) {
	173	/* Allow the user to run an interactive shell */
	174	cd_to_homedir();
70256a3a RR	175	if (access(COMMAND_DIR, R_OK \| X_OK) == -1) {
	176	die("Interactive git shell is not enabled.\n"
	177	"hint: ~/" COMMAND_DIR " should exist "
	178	"and have read and execute access.");
	179	}
e69164dd GB	180	run_shell();
	181	exit(0);
	182	} else if (argc != 3 \|\| strcmp(argv[1], "-c")) {
	183	/*
	184	* We do not accept any other modes except "-c" followed by
	185	* "cmd arg", where "cmd" is a very limited subset of git
	186	* commands or a command in the COMMAND_DIR
	187	*/
	188	die("Run with no arguments or with -c cmd");
	189	}
35eb2d36	190
2dbc887e	191	prog = xstrdup(argv[2]);
bc7c73e2 JH	192	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
	193	/* Accept "git foo" as if the caller said "git-foo". */
	194	prog[3] = '-';
	195
35eb2d36 LT	196	for (cmd = cmd_list ; cmd->name ; cmd++) {
	197	int len = strlen(cmd->name);
	198	char *arg;
	199	if (strncmp(cmd->name, prog, len))
	200	continue;
	201	arg = NULL;
	202	switch (prog[len]) {
	203	case '\0':
	204	arg = NULL;
	205	break;
	206	case ' ':
	207	arg = prog + len + 1;
	208	break;
	209	default:
	210	continue;
	211	}
338abb0f	212	return cmd->exec(cmd->name, arg);
35eb2d36	213	}
2dbc887e GB	214
2dbc887e GB	215	cd_to_homedir();
9f29fe9a GB	216	count = split_cmdline(prog, &user_argv);
9f29fe9a GB	217	if (count >= 0) {
2dbc887e GB	218	if (is_valid_cmd_name(user_argv[0])) {
	219	prog = make_cmd(user_argv[0]);
	220	user_argv[0] = prog;
	221	execv(user_argv[0], (char const ) user_argv);
	222	}
	223	free(prog);
	224	free(user_argv);
	225	die("unrecognized command '%s'", argv[2]);
	226	} else {
	227	free(prog);
9f29fe9a GB	228	die("invalid command format '%s': %s", argv[2],
9f29fe9a GB	229	split_cmdline_strerror(count));
2dbc887e	230	}
35eb2d36	231	}