| blob | b8eb02bb6d5f28476974786b3dfa6f535e8ac0c0 |
1 From 11ac13e816703edfa0d4cfca58a441064827af33 Mon Sep 17 00:00:00 2001
2 From: Johannes Schindelin <johannes.schindelin@gmx.de>
3 Date: Fri, 13 Sep 2019 16:32:43 +0200
4 Subject: mingw: fix quoting of arguments
6 We need to be careful to follow proper quoting rules. For example, if an
7 argument contains spaces, we have to quote them. Double-quotes need to
8 be escaped. Backslashes need to be escaped, but only if they are
9 followed by a double-quote character.
11 We need to be _extra_ careful to consider the case where an argument
12 ends in a backslash _and_ needs to be quoted: in this case, we append a
13 double-quote character, i.e. the backslash now has to be escaped!
15 The current code, however, fails to recognize that, and therefore can
16 turn an argument that ends in a single backslash into a quoted argument
17 that now ends in an escaped double-quote character. This allows
18 subsequent command-line parameters to be split and part of them being
19 mistaken for command-line options, e.g. through a maliciously-crafted
20 submodule URL during a recursive clone.
22 Technically, we would not need to quote _all_ arguments which end in a
23 backslash _unless_ the argument needs to be quoted anyway. For example,
24 `test\` would not need to be quoted, while `test \` would need to be.
26 To keep the code simple, however, and therefore easier to reason about
27 and ensure its correctness, we now _always_ quote an argument that ends
28 in a backslash.
30 This addresses CVE-2019-1350.
32 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
33 (cherry picked from commit 6d8684161ee9c03bed5cb69ae76dfdddb85a0003)
34 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
35 ---
36 compat/mingw.c | 9 ++++++---
37 t/t7416-submodule-dash-url.sh | 14 ++++++++++++++
38 2 files changed, 20 insertions(+), 3 deletions(-)
40 diff --git a/compat/mingw.c b/compat/mingw.c
41 index fe609239dd..54f722e398 100644
42 --- a/compat/mingw.c
43 +++ b/compat/mingw.c
44 @@ -1054,7 +1054,7 @@ static const char *quote_arg_msvc(const char *arg)
45 p++;
46 len++;
47 }
48 - if (*p == '"')
49 + if (*p == '"' || !*p)
50 n += count*2 + 1;
51 continue;
52 }
53 @@ -1076,16 +1076,19 @@ static const char *quote_arg_msvc(const char *arg)
54 count++;
55 *d++ = *arg++;
56 }
57 - if (*arg == '"') {
58 + if (*arg == '"' || !*arg) {
59 while (count-- > 0)
60 *d++ = '\\';
61 + /* don't escape the surrounding end quote */
62 + if (!*arg)
63 + break;
64 *d++ = '\\';
65 }
66 }
67 *d++ = *arg++;
68 }
69 *d++ = '"';
70 - *d++ = 0;
71 + *d++ = '\0';
72 return q;
73 }
75 diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
76 index 1cd2c1c1ea..5ba041f537 100755
77 --- a/t/t7416-submodule-dash-url.sh
78 +++ b/t/t7416-submodule-dash-url.sh
79 @@ -46,4 +46,18 @@ test_expect_success 'fsck rejects unprotected dash' '
80 grep gitmodulesUrl err
81 '
83 +test_expect_success 'trailing backslash is handled correctly' '
84 + git init testmodule &&
85 + test_commit -C testmodule c &&
86 + git submodule add ./testmodule &&
87 + : ensure that the name ends in a double backslash &&
88 + sed -e "s|\\(submodule \"testmodule\\)\"|\\1\\\\\\\\\"|" \
89 + -e "s|url = .*|url = \" --should-not-be-an-option\"|" \
90 + <.gitmodules >.new &&
91 + mv .new .gitmodules &&
92 + git commit -am "Add testmodule" &&
93 + test_must_fail git clone --verbose --recurse-submodules . dolly 2>err &&
94 + test_i18ngrep ! "unknown option" err
95 +'
96 +
97 test_done
98 --
99 2.24.0.393.g34dc348eaf