1 From 95110704086cf8c226bdd04aeab9bf13da8331e8 Mon Sep 17 00:00:00 2001
2 From: Jeff King <peff@peff.net>
3 Date: Mon, 11 Sep 2017 11:27:51 -0400
4 Subject: shell: drop git-cvsserver support by default
6 The git-cvsserver script is old and largely unmaintained
7 these days. But git-shell allows untrusted users to run it
8 out of the box, significantly increasing its attack surface.
10 Let's drop it from git-shell's list of internal handlers so
11 that it cannot be run by default. This is not backwards
12 compatible. But given the age and development activity on
13 CVS-related parts of Git, this is likely to impact very few
14 users, while helping many more (i.e., anybody who runs
15 git-shell and had no intention of supporting CVS).
17 There's no configuration mechanism in git-shell for us to
18 add a boolean and flip it to "off". But there is a mechanism
19 for adding custom commands, and adding CVS support here is
20 fairly trivial. Let's document it to give guidance to
21 anybody who really is still running cvsserver.
23 Signed-off-by: Jeff King <peff@peff.net>
24 Signed-off-by: Junio C Hamano <gitster@pobox.com>
26 Documentation/git-shell.txt | 16 ++++++++++++++
27 shell.c | 14 ------------
28 t/t9400-git-cvsserver-server.sh | 48 +++++++++++++++++++++++++++++++++++++++++
29 3 files changed, 64 insertions(+), 14 deletions(-)
31 diff --git a/Documentation/git-shell.txt b/Documentation/git-shell.txt
32 index 2e30a3e42d..54cf2560be 100644
33 --- a/Documentation/git-shell.txt
34 +++ b/Documentation/git-shell.txt
35 @@ -79,6 +79,22 @@ EOF
36 $ chmod +x $HOME/git-shell-commands/no-interactive-login
39 +To enable git-cvsserver access (which should generally have the
40 +`no-interactive-login` example above as a prerequisite, as creating
41 +the git-shell-commands directory allows interactive logins):
44 +$ cat >$HOME/git-shell-commands/cvs <<\EOF
45 +if ! test $# = 1 && test "$1" = "server"
47 + echo >&2 "git-cvsserver only handles \"server\""
50 +exec git cvsserver server
52 +$ chmod +x $HOME/git-shell-commands/cvs
58 diff --git a/shell.c b/shell.c
59 index fe2d314593..234b2d4f16 100644
62 @@ -25,19 +25,6 @@ static int do_generic_cmd(const char *me, char *arg)
63 return execv_git_cmd(my_argv);
66 -static int do_cvs_cmd(const char *me, char *arg)
68 - const char *cvsserver_argv[3] = {
69 - "cvsserver", "server", NULL
72 - if (!arg || strcmp(arg, "server"))
73 - die("git-cvsserver only handles server: %s", arg);
76 - return execv_git_cmd(cvsserver_argv);
79 static int is_valid_cmd_name(const char *cmd)
81 /* Test command contains no . or / characters */
82 @@ -134,7 +121,6 @@ static struct commands {
83 { "git-receive-pack", do_generic_cmd },
84 { "git-upload-pack", do_generic_cmd },
85 { "git-upload-archive", do_generic_cmd },
86 - { "cvs", do_cvs_cmd },
90 diff --git a/t/t9400-git-cvsserver-server.sh b/t/t9400-git-cvsserver-server.sh
91 index 432c61d246..c30660d606 100755
92 --- a/t/t9400-git-cvsserver-server.sh
93 +++ b/t/t9400-git-cvsserver-server.sh
94 @@ -588,4 +588,52 @@ test_expect_success 'cvs annotate' '
95 test_cmp ../expect ../actual
99 +# running via git-shell
104 +test_expect_success 'create remote-cvs helper' '
105 + write_script remote-cvs <<-\EOF
106 + exec git shell -c "cvs server"
110 +test_expect_success 'cvs server does not run with vanilla git-shell' '
113 + CVS_SERVER=$WORKDIR/remote-cvs &&
114 + export CVS_SERVER &&
115 + test_must_fail cvs log merge
119 +test_expect_success 'configure git shell to run cvs server' '
120 + mkdir "$HOME"/git-shell-commands &&
122 + write_script "$HOME"/git-shell-commands/cvs <<-\EOF &&
123 + if ! test $# = 1 && test "$1" = "server"
125 + echo >&2 "git-cvsserver only handles \"server\""
128 + exec git cvsserver server
131 + # Should not be used, but part of the recommended setup
132 + write_script "$HOME"/git-shell-commands/no-interactive-login <<-\EOF
133 + echo Interactive login forbidden
137 +test_expect_success 'cvs server can run with recommended config' '
140 + CVS_SERVER=$WORKDIR/remote-cvs &&
141 + export CVS_SERVER &&
148 2.14.1.821.g8fa685d3b7