[thirdparty/git.git] / shell.c

#include "cache.h"
#include "quote.h"
#include "exec-cmd.h"
#include "strbuf.h"
#include "run-command.h"
#include "alias.h"
#include "prompt.h"

#define COMMAND_DIR "git-shell-commands"
#define HELP_COMMAND COMMAND_DIR "/help"
#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"

static int do_generic_cmd(const char *me, char *arg)
{
	const char *my_argv[4];

	setup_path();
	if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
		die("bad argument");
	if (!skip_prefix(me, "git-", &me))
		die("bad command");

	my_argv[0] = me;
	my_argv[1] = arg;
	my_argv[2] = NULL;

	return execv_git_cmd(my_argv);
}

static int is_valid_cmd_name(const char *cmd)
{
	/* Test command contains no . or / characters */
	return cmd[strcspn(cmd, "./")] == '\0';
}

static char *make_cmd(const char *prog)
{
	return xstrfmt("%s/%s", COMMAND_DIR, prog);
}

static void cd_to_homedir(void)
{
	const char *home = getenv("HOME");
	if (!home)
		die("could not determine user's home directory; HOME is unset");
	if (chdir(home) == -1)
		die("could not chdir to user's home directory");
}

#define MAX_INTERACTIVE_COMMAND (4*1024*1024)

static void run_shell(void)
{
	int done = 0;
	struct child_process help_cmd = CHILD_PROCESS_INIT;

	if (!access(NOLOGIN_COMMAND, F_OK)) {
		/* Interactive login disabled. */
		struct child_process nologin_cmd = CHILD_PROCESS_INIT;
		int status;

		strvec_push(&nologin_cmd.args, NOLOGIN_COMMAND);
		status = run_command(&nologin_cmd);
		if (status < 0)
			exit(127);
		exit(status);
	}

	/* Print help if enabled */
	help_cmd.silent_exec_failure = 1;
	strvec_push(&help_cmd.args, HELP_COMMAND);
	run_command(&help_cmd);

	do {
		const char *prog;
		char *full_cmd;
		char *rawargs;
		size_t len;
		char *split_args;
		const char **argv;
		int code;
		int count;

		fprintf(stderr, "git> ");

		/*
		 * Avoid using a strbuf or git_read_line_interactively() here.
		 * We don't want to allocate arbitrary amounts of memory on
		 * behalf of a possibly untrusted client, and we're subject to
		 * OS limits on command length anyway.
		 */
		fflush(stdout);
		rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
		if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
			fprintf(stderr, "\n");
			free(rawargs);
			break;
		}
		len = strlen(rawargs);

		/*
		 * If we truncated due to our input buffer size, reject the
		 * command. That's better than running bogus input, and
		 * there's a good chance it's just malicious garbage anyway.
		 */
		if (len >= MAX_INTERACTIVE_COMMAND - 1)
			die("invalid command format: input too long");

		if (len > 0 && rawargs[len - 1] == '\n') {
			if (--len > 0 && rawargs[len - 1] == '\r')
				--len;
			rawargs[len] = '\0';
		}

		split_args = xstrdup(rawargs);
		count = split_cmdline(split_args, &argv);
		if (count < 0) {
			fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
				split_cmdline_strerror(count));
			free(split_args);
			free(rawargs);
			continue;
		}

		prog = argv[0];
		if (!strcmp(prog, "")) {
		} else if (!strcmp(prog, "quit") || !strcmp(prog, "logout") ||
			   !strcmp(prog, "exit") || !strcmp(prog, "bye")) {
			done = 1;
		} else if (is_valid_cmd_name(prog)) {
			struct child_process cmd = CHILD_PROCESS_INIT;

			full_cmd = make_cmd(prog);
			argv[0] = full_cmd;
			cmd.silent_exec_failure = 1;
			strvec_pushv(&cmd.args, argv);
			code = run_command(&cmd);
			if (code == -1 && errno == ENOENT) {
				fprintf(stderr, "unrecognized command '%s'\n", prog);
			}
			free(full_cmd);
		} else {
			fprintf(stderr, "invalid command format '%s'\n", prog);
		}

		free(argv);
		free(rawargs);
	} while (!done);
}

static struct commands {
	const char *name;
	int (*exec)(const char *me, char *arg);
} cmd_list[] = {
	{ "git-receive-pack", do_generic_cmd },
	{ "git-upload-pack", do_generic_cmd },
	{ "git-upload-archive", do_generic_cmd },
	{ NULL },
};

int cmd_main(int argc, const char **argv)
{
	char *prog;
	const char **user_argv;
	struct commands *cmd;
	int count;

	/*
	 * Special hack to pretend to be a CVS server
	 */
	if (argc == 2 && !strcmp(argv[1], "cvs server")) {
		argv--;
	} else if (argc == 1) {
		/* Allow the user to run an interactive shell */
		cd_to_homedir();
		if (access(COMMAND_DIR, R_OK | X_OK) == -1) {
			die("Interactive git shell is not enabled.\n"
			    "hint: ~/" COMMAND_DIR " should exist "
			    "and have read and execute access.");
		}
		run_shell();
		exit(0);
	} else if (argc != 3 || strcmp(argv[1], "-c")) {
		/*
		 * We do not accept any other modes except "-c" followed by
		 * "cmd arg", where "cmd" is a very limited subset of git
		 * commands or a command in the COMMAND_DIR
		 */
		die("Run with no arguments or with -c cmd");
	}

	prog = xstrdup(argv[2]);
	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
		/* Accept "git foo" as if the caller said "git-foo". */
		prog[3] = '-';

	for (cmd = cmd_list ; cmd->name ; cmd++) {
		int len = strlen(cmd->name);
		char *arg;
		if (strncmp(cmd->name, prog, len))
			continue;
		arg = NULL;
		switch (prog[len]) {
		case '\0':
			arg = NULL;
			break;
		case ' ':
			arg = prog + len + 1;
			break;
		default:
			continue;
		}
		return cmd->exec(cmd->name, arg);
	}

	cd_to_homedir();
	count = split_cmdline(prog, &user_argv);
	if (count >= 0) {
		if (is_valid_cmd_name(user_argv[0])) {
			prog = make_cmd(user_argv[0]);
			user_argv[0] = prog;
			execv(user_argv[0], (char *const *) user_argv);
		}
		free(prog);
		free(user_argv);
		die("unrecognized command '%s'", argv[2]);
	} else {
		free(prog);
		die("invalid command format '%s': %s", argv[2],
		    split_cmdline_strerror(count));
	}
}
Commit	Line	Data
35eb2d36 LT	1	#include "cache.h"
35eb2d36 LT	2	#include "quote.h"
d807c4a0	3	#include "exec-cmd.h"
0c696fe7	4	#include "strbuf.h"
e69164dd	5	#include "run-command.h"
65b5f948	6	#include "alias.h"
08d383f2	7	#include "prompt.h"
35eb2d36	8
2dbc887e	9	#define COMMAND_DIR "git-shell-commands"
e69164dd	10	#define HELP_COMMAND COMMAND_DIR "/help"
35297089	11	#define NOLOGIN_COMMAND COMMAND_DIR "/no-interactive-login"
2dbc887e	12
35eb2d36 LT	13	static int do_generic_cmd(const char me, char arg)
	14	{
	15	const char *my_argv[4];
	16
e1464ca7	17	setup_path();
3ec80449	18	if (!arg \|\| !(arg = sq_dequote(arg)) \|\| *arg == '-')
35eb2d36	19	die("bad argument");
ec6ee0c0	20	if (!skip_prefix(me, "git-", &me))
77cb17e9	21	die("bad command");
35eb2d36	22
ec6ee0c0	23	my_argv[0] = me;
35eb2d36 LT	24	my_argv[1] = arg;
	25	my_argv[2] = NULL;
	26
9201c707	27	return execv_git_cmd(my_argv);
35eb2d36 LT	28	}
35eb2d36 LT	29
2dbc887e GB	30	static int is_valid_cmd_name(const char *cmd)
	31	{
	32	/* Test command contains no . or / characters */
	33	return cmd[strcspn(cmd, "./")] == '\0';
	34	}
	35
	36	static char make_cmd(const char prog)
	37	{
b2724c87	38	return xstrfmt("%s/%s", COMMAND_DIR, prog);
2dbc887e GB	39	}
	40
	41	static void cd_to_homedir(void)
	42	{
	43	const char *home = getenv("HOME");
	44	if (!home)
	45	die("could not determine user's home directory; HOME is unset");
	46	if (chdir(home) == -1)
	47	die("could not chdir to user's home directory");
	48	}
0c696fe7	49
71ad7fe1 JK	50	#define MAX_INTERACTIVE_COMMAND (410241024)
71ad7fe1 JK	51
e69164dd GB	52	static void run_shell(void)
	53	{
	54	int done = 0;
ddbb47fd	55	struct child_process help_cmd = CHILD_PROCESS_INIT;
35297089 JN	56
	57	if (!access(NOLOGIN_COMMAND, F_OK)) {
	58	/* Interactive login disabled. */
ddbb47fd	59	struct child_process nologin_cmd = CHILD_PROCESS_INIT;
35297089 JN	60	int status;
35297089 JN	61
ddbb47fd RS	62	strvec_push(&nologin_cmd.args, NOLOGIN_COMMAND);
ddbb47fd RS	63	status = run_command(&nologin_cmd);
35297089 JN	64	if (status < 0)
	65	exit(127);
	66	exit(status);
	67	}
	68
e69164dd	69	/* Print help if enabled */
ddbb47fd RS	70	help_cmd.silent_exec_failure = 1;
	71	strvec_push(&help_cmd.args, HELP_COMMAND);
	72	run_command(&help_cmd);
e69164dd GB	73
e69164dd GB	74	do {
e69164dd GB	75	const char *prog;
	76	char *full_cmd;
	77	char *rawargs;
71ad7fe1	78	size_t len;
9f29fe9a	79	char *split_args;
e69164dd GB	80	const char **argv;
e69164dd GB	81	int code;
9f29fe9a	82	int count;
e69164dd GB	83
e69164dd GB	84	fprintf(stderr, "git> ");
71ad7fe1 JK	85
	86	/*
	87	* Avoid using a strbuf or git_read_line_interactively() here.
	88	* We don't want to allocate arbitrary amounts of memory on
	89	* behalf of a possibly untrusted client, and we're subject to
	90	* OS limits on command length anyway.
	91	*/
	92	fflush(stdout);
	93	rawargs = xmalloc(MAX_INTERACTIVE_COMMAND);
	94	if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) {
e69164dd	95	fprintf(stderr, "\n");
71ad7fe1	96	free(rawargs);
e69164dd GB	97	break;
e69164dd GB	98	}
71ad7fe1 JK	99	len = strlen(rawargs);
	100
	101	/*
	102	* If we truncated due to our input buffer size, reject the
	103	* command. That's better than running bogus input, and
	104	* there's a good chance it's just malicious garbage anyway.
	105	*/
	106	if (len >= MAX_INTERACTIVE_COMMAND - 1)
	107	die("invalid command format: input too long");
	108
	109	if (len > 0 && rawargs[len - 1] == '\n') {
	110	if (--len > 0 && rawargs[len - 1] == '\r')
	111	--len;
	112	rawargs[len] = '\0';
	113	}
	114
9f29fe9a GB	115	split_args = xstrdup(rawargs);
	116	count = split_cmdline(split_args, &argv);
	117	if (count < 0) {
	118	fprintf(stderr, "invalid command format '%s': %s\n", rawargs,
	119	split_cmdline_strerror(count));
	120	free(split_args);
e69164dd GB	121	free(rawargs);
	122	continue;
	123	}
	124
	125	prog = argv[0];
	126	if (!strcmp(prog, "")) {
	127	} else if (!strcmp(prog, "quit") \|\| !strcmp(prog, "logout") \|\|
	128	!strcmp(prog, "exit") \|\| !strcmp(prog, "bye")) {
	129	done = 1;
	130	} else if (is_valid_cmd_name(prog)) {
ddbb47fd RS	131	struct child_process cmd = CHILD_PROCESS_INIT;
ddbb47fd RS	132
e69164dd GB	133	full_cmd = make_cmd(prog);
e69164dd GB	134	argv[0] = full_cmd;
ddbb47fd RS	135	cmd.silent_exec_failure = 1;
	136	strvec_pushv(&cmd.args, argv);
	137	code = run_command(&cmd);
e69164dd GB	138	if (code == -1 && errno == ENOENT) {
	139	fprintf(stderr, "unrecognized command '%s'\n", prog);
	140	}
	141	free(full_cmd);
	142	} else {
	143	fprintf(stderr, "invalid command format '%s'\n", prog);
	144	}
	145
	146	free(argv);
	147	free(rawargs);
	148	} while (!done);
	149	}
	150
35eb2d36 LT	151	static struct commands {
	152	const char *name;
	153	int (exec)(const char me, char *arg);
	154	} cmd_list[] = {
	155	{ "git-receive-pack", do_generic_cmd },
	156	{ "git-upload-pack", do_generic_cmd },
79f72b97	157	{ "git-upload-archive", do_generic_cmd },
35eb2d36 LT	158	{ NULL },
	159	};
	160
3f2e2297	161	int cmd_main(int argc, const char **argv)
35eb2d36 LT	162	{
35eb2d36 LT	163	char *prog;
2dbc887e	164	const char **user_argv;
35eb2d36	165	struct commands *cmd;
9f29fe9a	166	int count;
0cfeed2e	167
bc7c73e2 JH	168	/*
	169	* Special hack to pretend to be a CVS server
	170	*/
e69164dd	171	if (argc == 2 && !strcmp(argv[1], "cvs server")) {
0c696fe7	172	argv--;
e69164dd GB	173	} else if (argc == 1) {
	174	/* Allow the user to run an interactive shell */
	175	cd_to_homedir();
70256a3a RR	176	if (access(COMMAND_DIR, R_OK \| X_OK) == -1) {
	177	die("Interactive git shell is not enabled.\n"
	178	"hint: ~/" COMMAND_DIR " should exist "
	179	"and have read and execute access.");
	180	}
e69164dd GB	181	run_shell();
	182	exit(0);
	183	} else if (argc != 3 \|\| strcmp(argv[1], "-c")) {
	184	/*
	185	* We do not accept any other modes except "-c" followed by
	186	* "cmd arg", where "cmd" is a very limited subset of git
	187	* commands or a command in the COMMAND_DIR
	188	*/
	189	die("Run with no arguments or with -c cmd");
	190	}
35eb2d36	191
2dbc887e	192	prog = xstrdup(argv[2]);
bc7c73e2 JH	193	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
	194	/* Accept "git foo" as if the caller said "git-foo". */
	195	prog[3] = '-';
	196
35eb2d36 LT	197	for (cmd = cmd_list ; cmd->name ; cmd++) {
	198	int len = strlen(cmd->name);
	199	char *arg;
	200	if (strncmp(cmd->name, prog, len))
	201	continue;
	202	arg = NULL;
	203	switch (prog[len]) {
	204	case '\0':
	205	arg = NULL;
	206	break;
	207	case ' ':
	208	arg = prog + len + 1;
	209	break;
	210	default:
	211	continue;
	212	}
338abb0f	213	return cmd->exec(cmd->name, arg);
35eb2d36	214	}
2dbc887e GB	215
2dbc887e GB	216	cd_to_homedir();
9f29fe9a GB	217	count = split_cmdline(prog, &user_argv);
9f29fe9a GB	218	if (count >= 0) {
2dbc887e GB	219	if (is_valid_cmd_name(user_argv[0])) {
	220	prog = make_cmd(user_argv[0]);
	221	user_argv[0] = prog;
	222	execv(user_argv[0], (char const ) user_argv);
	223	}
	224	free(prog);
	225	free(user_argv);
	226	die("unrecognized command '%s'", argv[2]);
	227	} else {
	228	free(prog);
9f29fe9a GB	229	die("invalid command format '%s': %s", argv[2],
9f29fe9a GB	230	split_cmdline_strerror(count));
2dbc887e	231	}
35eb2d36	232	}