git-daemon-verify/git-http-backend-verify: validate bin and set PATH

[girocco.git] / bin / git-http-backend-verify

#!/bin/sh
#
# Abort any push early if the pushing user doesn't have any push permissions
# at all.  This avoids unnecessary traffic and unpacked object pollution.
#
# Set GIT_HTTP_BACKEND_BIN to change the default http-backend binary from
# the default of Config.pm $git_http_backend_bin (which itself has a default
# of "/usr/lib/git-core/git-http-backend")
#
# Note that GIT_PROJECT_ROOT is automatically set to $cfg_reporoot and exported
# any incoming value for it will be ignored.
#
# Also prevents standard error output from git-http-backend cluttering up the
# server's log unless GIT_HTTP_BACKEND_SHOW_ERRORS is set to a non-empty value.

set -e

. @basedir@/shlib.sh

unset GIT_USER_AGENT
if [ -n "$defined_cfg_git_server_ua" ]; then
        GIT_USER_AGENT="$cfg_git_server_ua"
        export GIT_USER_AGENT
fi

[ -z "$GIT_HTTP_BACKEND_BIN" ] || cfg_git_http_backend_bin="$GIT_HTTP_BACKEND_BIN"
[ -n "$cfg_git_http_backend_bin" ] ||
        cfg_git_http_backend_bin="$($cfg_git_bin --exec-path)/git-http-backend"

GIT_PROJECT_ROOT="$cfg_reporoot"
export GIT_PROJECT_ROOT

# This script is called for both fetch and push.
# Only the following conditions trigger a push permissions check:
#
#   1. REQUEST_METHOD=GET
#      and PATH_INFO ends with "/info/refs"
#      and QUERY_STRING has "service=git-receive-pack"
#
#   2. REQUEST_METHOD=POST
#      and PATH_INFO ends with "/git-receive-pack"
#
# Note that there is no check for PATH_INFO being under a certain root as
# GIT_PROJECT_ROOT will be exported and set so all PATH_INFO values are
# effectively forced under the desired root.
#
# The REQUEST_METHOD is validated.  For smart HTTP requests only the project
# name is extracted and validated and the corresponding project directory must
# exist under $cfg_reporoot.  Non-smart HTTP fetch requests (GET or HEAD) are
# passed on unchanged and unchecked.

errorhdrs()
{
        printf '%s\r\n' "Status: $1 $2"
        printf '%s\r\n' "Expires: Fri, 01 Jan 1980 00:00:00 GMT"
        printf '%s\r\n' "Pragma: no-cache"
        printf '%s\r\n' "Cache-Control: no-cache, max-age=0, must-revalidate"
        [ -z "$3" ] || printf '%s\r\n' "$3"
        printf '%s\r\n' "Content-Type: text/plain"
        printf '\r\n'
}

msglines()
{
        while [ $# -gt 0 ]; do
                printf '%s\n' "$1"
                shift
        done
}

internalerr()
{
        errorhdrs 500 "Internal Server Error"
        if [ $# -eq 0 ]; then
                msglines "Internal Server Error"
                echo "Internal Server Error" >&2
        else
                msglines "$@"
                while [ $# -gt 0 ]; do
                        printf '%s\n' "$1" >&2
                        shift
                done
        fi
        exit 0
}

methodnotallowed()
{
        errorhdrs 405 "Method Not Allowed" "Allow: GET, HEAD, POST"
        if [ $# -eq 0 ]; then
                msglines "Method Not Allowed"
        else
                msglines "$@"
        fi
        exit 0
}

forbidden()
{
        errorhdrs 403 Forbidden
        if [ $# -eq 0 ]; then
                msglines "Forbidden"
        else
                msglines "$@"
        fi
        exit 0
}

needsauth()
{
        errorhdrs 401 "Authorization Required"
        if [ $# -eq 0 ]; then
                msglines "Authorization Required"
        else
                msglines "$@"
        fi
        exit 0
}

# A quick sanity check
if [ -z "$cfg_git_http_backend_bin" ] || ! [ -x "$cfg_git_http_backend_bin" ]; then
        internalerr "bad cfg_git_http_backend_bin: $cfg_git_http_backend_bin"
        exit 1
fi
case "$cfg_reporoot" in /?*) :;; *)
        internalerr "bad reporoot: $cfg_reporoot"
        exit 1
esac
[ -n "$GIT_PROJECT_ROOT" ] || { internalerr 'GIT_PROJECT_ROOT must be set'; exit 1; }

PATH="$(dirname "$cfg_git_http_backend_bin"):$PATH"
export PATH

proj=
smart=
suffix=
needsauthcheck=
pathcheck="${PATH_INFO#/}"
if [ "$REQUEST_METHOD" = "GET" -o "$REQUEST_METHOD" = "HEAD" ]; then
        # We do not currently validate non-smart GET/HEAD requests.
        # There are only 8 possible suffix values that need to be allowed for
        # non-smart HTTP GET/HEAD fetches (see http-backend.c):
        #   /HEAD
        #   /info/refs
        #   /objects/info/alternates
        #   /objects/info/http-alternates
        #   /objects/info/packs
        #   /objects/[0-9a-f]{2}/[0-9a-f]{38}
        #   /objects/pack/pack-[0-9a-f]{40}.idx
        #   /objects/pack/pack-[0-9a-f]{40}.pack
        case "$pathcheck" in *"/info/refs")
                proj="${pathcheck%/info/refs}"
                case "&$QUERY_STRING&" in
                *"&service=git-receive-pack&"*)
                        smart=1
                        needsauthcheck=1
                        suffix=info/refs
                        ;;
                *"&service=git-upload-pack&"*)
                        smart=1
                        suffix=info/refs
                        ;;
                esac
        esac
elif [ "$REQUEST_METHOD" = "POST" ]; then
        case "$pathcheck" in
        *"/git-receive-pack")
                smart=1
                needsauthcheck=1
                proj="${pathcheck%/git-receive-pack}"
                suffix=git-receive-pack
                ;;
        *"/git-upload-pack")
                smart=1
                proj="${pathcheck%/git-upload-pack}"
                suffix=git-upload-pack
                ;;
        *)
                forbidden
                exit 1
                ;;
        esac
else
        methodnotallowed
        exit 1
fi

# Reject any project names that start with _
case "$pathcheck" in _*)
        forbidden
esac

if [ -n "$smart" ]; then
        # add a missing trailing .git
        case "$proj" in
                *.git) :;;
                *)
                        proj="$proj.git"
        esac

        reporoot="$cfg_reporoot"
        dir="$reporoot/$proj"

        # Valid project names never end in .git (we add that automagically), so a valid
        # fork can never have .git at the end of any path component except the last.
        # We check this to avoid a situation where a certain collection of pushed refs
        # could be mistaken for a GIT_DIR.  Git would ultimately complain, but some
        # undesirable things could happen along the way.

        # Remove the leading $reporoot and trailing .git to get a test string
        testpath="${dir#$reporoot/}"
        testpath="${testpath%.git}"
        case "$testpath/" in *.[Gg][Ii][Tt]/*|_*)
                forbidden
                exit 1
        esac

        if ! [ -d "$dir" ] || ! [ -f "$dir/HEAD" ] || ! [ -d "$dir/objects" ]; then
                forbidden
                exit 1
        fi
fi

if [ -z "$needsauthcheck" ] || [ -z "$smart" ]; then
        if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
                exec "$cfg_git_http_backend_bin" "$@"
        else
                exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
        fi
        internalerr "exec failed: $cfg_git_http_backend_bin"
        exit 1
fi

projbare="${proj%.git}"

if ! [ -f "$dir/.nofetch" ]; then
        forbidden "The $proj project is a mirror and may not be pushed to, sorry"
        exit 1
fi

authuser="${REMOTE_USER#/UID=}"
authuuid="${authuser}"
authuser="${authuser%/dnQualifier=*}"
authuuid="${authuuid#$authuser}"
authuuid="${authuuid#/dnQualifier=}"
if [ -z "$authuser" ]; then
        needsauth "Only authenticated users may push, sorry"
        exit 1
fi
if [ "$authuser" != "mob" -o "$cfg_mob" != "mob" ]; then
        if ! useruuid="$("$cfg_basedir/bin/get_user_uuid" "$authuser")" || [ "$useruuid" != "$authuuid" ]; then
                forbidden "The user '$authuser' certificate being used is no longer valid." \
                        "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
                exit 1
        fi
fi

if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$authuser"; then
        # If mob is enabled and mob has push permissions and
        # the current user is not the mob then it's a personal mob push
        # presuming the special mob directory has been set up
        if [ "$cfg_mob" = "mob" -a "$authuser" != "mob" -a -d "$cfg_reporoot/$proj/mob" ] &&
                "$cfg_basedir/bin/can_user_push_http" "$projbare" "mob"; then
                (
                        umask 113
                        > "$cfg_chroot/etc/sshactive/${authuser},"
                        mv -f "$cfg_chroot/etc/sshactive/${authuser}," "$cfg_chroot/etc/sshactive/${authuser}"
                )
                export PATH_INFO="/$proj/mob/$suffix"
                if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
                        exec "$cfg_git_http_backend_bin" "$@"
                else
                        exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
                fi
                internalerr "exec failed: $cfg_git_http_backend_bin"
                exit 1
        fi
        forbidden "The user '$authuser' does not have push permissions for project '$proj'." \
                "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj"
        exit 1
fi

(
        umask 113
        > "$cfg_chroot/etc/sshactive/${authuser},"
        mv -f "$cfg_chroot/etc/sshactive/${authuser}," "$cfg_chroot/etc/sshactive/${authuser}"
)
if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
        exec "$cfg_git_http_backend_bin" "$@"
else
        exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
fi
internalerr "exec failed: $cfg_git_http_backend_bin"
exit 1