| commit | e31102f974001f9bce0cf80b4a578fbcd7189c0d | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Fri, 27 Mar 2020 19:00:08 +0000 (27 12:00 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Fri, 27 Mar 2020 19:00:08 +0000 (27 12:00 -0700) | ||
| tree | 3930462aec17317b901ceafe45b232a5d96b3a71 | treesnapshot (tar.gz zip) |
| parent | 7bb9c347b9779fa86ff2ae23af510ac7efcd4cf2 | commitdiff |
git-*-verify: sanitize log messages before output
Part of the information in the log message comes from a remote
client. The point of logging is not only to include successful
requests, but also denied requests.
That means the information from the remote client contained within
a denied request log message has failed validation.
Consider that for a moment. It could literally be *ANY* sequence
of bytes.
Exhibit an abundance of caution and transform any bytes which are
not in the range \x20-\x7E (the printable characters) and are not
the final newline character (\x0A) into '?' characters before output.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Part of the information in the log message comes from a remote
client. The point of logging is not only to include successful
requests, but also denied requests.
That means the information from the remote client contained within
a denied request log message has failed validation.
Consider that for a moment. It could literally be *ANY* sequence
of bytes.
Exhibit an abundance of caution and transform any bytes which are
not in the range \x20-\x7E (the printable characters) and are not
the final newline character (\x0A) into '?' characters before output.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
| bin/git-daemon-verify | diffblobblamehistory | |
| bin/git-shell-verify | diffblobblamehistory |