cvs-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cvs-cvs] ccvs/src ChangeLog main.c root.c root.h sanity.sh


From: Derek Robert Price
Subject: [Cvs-cvs] ccvs/src ChangeLog main.c root.c root.h sanity.sh
Date: Wed, 09 May 2007 23:54:34 +0000

CVSROOT:        /cvsroot/cvs
Module name:    ccvs
Changes by:     Derek Robert Price <dprice>     07/05/09 23:54:33

Modified files:
        src            : ChangeLog main.c root.c root.h sanity.sh 

Log message:
        * main.c (main): Use new root_allow_regexp_add function, declare
        new --allow-root-regexp option parameter.
        * root.c: Added new functions root_allow_regexp_add and
        root_allow_compare_regexp, new variables
        root_allow_regexp.  Modified root_allow_ok, root_allow_used and
        root_allow_free.  The code adds the matched repository path to
        root_allow as if specified using --allow-root.  --allow-root is not
        mandatory anymore if --allow-root-regexp is used instead.
        (Original 2001/2004 patches from Roland Mas <address@hidden>.)
        
        * sanity.sh: Added test cases as pserver-3b and pserver-3c,
        updated pserver-3.

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/ChangeLog?cvsroot=cvs&r1=1.3508&r2=1.3509
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/main.c?cvsroot=cvs&r1=1.268&r2=1.269
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/root.c?cvsroot=cvs&r1=1.125&r2=1.126
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/root.h?cvsroot=cvs&r1=1.24&r2=1.25
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/sanity.sh?cvsroot=cvs&r1=1.1175&r2=1.1176

Patches:
Index: ChangeLog
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/ChangeLog,v
retrieving revision 1.3508
retrieving revision 1.3509
diff -u -b -r1.3508 -r1.3509
--- ChangeLog   8 May 2007 12:35:53 -0000       1.3508
+++ ChangeLog   9 May 2007 23:54:33 -0000       1.3509
@@ -1,3 +1,19 @@
+2007-05-09  Derek Price  <address@hidden>
+       for Sylvain Beucler  <address@hidden>
+
+       * main.c (main): Use new root_allow_regexp_add function, declare
+       new --allow-root-regexp option parameter.
+       * root.c: Added new functions root_allow_regexp_add and
+       root_allow_compare_regexp, new variables
+       root_allow_regexp.  Modified root_allow_ok, root_allow_used and
+       root_allow_free.  The code adds the matched repository path to
+       root_allow as if specified using --allow-root.  --allow-root is not
+       mandatory anymore if --allow-root-regexp is used instead.
+       (Original 2001/2004 patches from Roland Mas <address@hidden>.)
+
+       * sanity.sh: Added test cases as pserver-3b and pserver-3c,
+       updated pserver-3.
+
 2007-05-07  Derek Price  <address@hidden>
 
        * mkmodules.c (init): Assert that the server is not active.

Index: main.c
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/main.c,v
retrieving revision 1.268
retrieving revision 1.269
diff -u -b -r1.268 -r1.269
--- main.c      17 May 2006 15:24:30 -0000      1.268
+++ main.c      9 May 2007 23:54:33 -0000       1.269
@@ -576,6 +576,7 @@
        {"verify-arg", required_argument, NULL, 12},
 #ifdef SERVER_SUPPORT
        {"allow-root", required_argument, NULL, 3},
+       {"allow-root-regexp", required_argument, NULL, 14},
        {"timeout", required_argument, NULL, 13},
 #endif /* SERVER_SUPPORT */
         {0, 0, 0, 0}
@@ -823,6 +824,10 @@
                /* --allow-root */
                root_allow_add (optarg, gConfigPath);
                break;
+           case 14:
+               /* --allow-root-regexp */
+               root_allow_regexp_add (optarg, gConfigPath);
+               break;
            case 13:
                /* --timeout */
                connection_timeout = strtol (optarg, &end, 10);

Index: root.c
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/root.c,v
retrieving revision 1.125
retrieving revision 1.126
diff -u -b -r1.125 -r1.126
--- root.c      24 Apr 2006 18:50:27 -0000      1.125
+++ root.c      9 May 2007 23:54:33 -0000       1.126
@@ -285,6 +285,7 @@
    directories.  Then we can check against them when a remote user
    hands us a CVSROOT directory.  */
 static List *root_allow;
+static List *root_allow_regexp;
 
 static void
 delconfig (Node *n)
@@ -308,21 +309,65 @@
 }
 
 void
+root_allow_regexp_add (const char *arg, const char *configPath)
+{
+    Node *n;
+
+    if (!root_allow_regexp) root_allow_regexp = getlist();
+    n = getnode();
+    n->key = xstrdup (arg);
+
+    /* This is a regexp, not the final cvsroot path - we cannot attach
+       it a config. So we attach configPath and we'll root_allow_add()
+       the actual, matching root in root_allow_compare_regexp() */
+    n->data = (void*)configPath;
+
+    addnode (root_allow_regexp, n);
+}
+
+void
 root_allow_free (void)
 {
     dellist (&root_allow);
+    dellist (&root_allow_regexp);
 }
 
 bool
 root_allow_used (void)
 {
-    return root_allow != NULL;
+    return root_allow || root_allow_regexp;
+}
+
+/* walklist() callback for determining if 'root_to_check' matches
+   n->key (a regexp). If yes, 'root_to_check' will be added as if
+   directly specified through --allow-root.
+ */
+static int
+root_allow_compare_regexp (Node *n, void *root_to_check)
+{
+  int status;
+  regex_t re;
+
+  if (regcomp(&re, n->key,
+             REG_EXTENDED|REG_NOSUB) != 0)
+  {
+      return 0;      /* report error? */
+  }
+  status = regexec(&re, root_to_check, (size_t) 0, NULL, 0);
+  regfree(&re);
+  if (status == 0)
+  {
+      /* n->data contains gConfigPath */
+      root_allow_add (root_to_check, n->data);
+      return 1;
+  }
+  return 0;
 }
 
 bool
 root_allow_ok (const char *arg)
 {
-    if (!root_allow)
+    if (!root_allow_used())
     {
        /* Probably someone upgraded from CVS before 1.9.10 to 1.9.10
           or later without reading the documentation about
@@ -334,12 +379,18 @@
           back "error" rather than waiting for the next request which
           expects responses.  */
        printf ("\
-error 0 Server configuration missing --allow-root in inetd.conf\n");
+error 0 Server configuration missing --allow-root or --allow-root-regexp in 
inetd.conf\n");
        exit (EXIT_FAILURE);
     }
 
+    /* Look for 'arg' in the list of full-path allowed roots */
     if (findnode (root_allow, arg))
        return true;
+    
+    /* Match 'arg' against the list of allowed roots regexps */
+    if (walklist (root_allow_regexp, root_allow_compare_regexp, (void*)arg))
+      return true;
+
     return false;
 }
 

Index: root.h
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/root.h,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -b -r1.24 -r1.25
--- root.h      24 Apr 2006 18:50:27 -0000      1.24
+++ root.h      9 May 2007 23:54:33 -0000       1.25
@@ -89,6 +89,7 @@
        __attribute__ ((__malloc__));
 void Create_Root (const char *dir, const char *rootdir);
 void root_allow_add (const char *, const char *configPath);
+void root_allow_regexp_add (const char *, const char *configPath);
 void root_allow_free (void);
 bool root_allow_used (void);
 bool root_allow_ok (const char *);

Index: sanity.sh
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/sanity.sh,v
retrieving revision 1.1175
retrieving revision 1.1176
diff -u -b -r1.1175 -r1.1176
--- sanity.sh   8 May 2007 12:35:53 -0000       1.1175
+++ sanity.sh   9 May 2007 23:54:33 -0000       1.1176
@@ -31622,7 +31622,7 @@
 willfail:   :whocares
 EOF
            dotest_fail pserver-3 "$servercvs pserver" \
-"error 0 Server configuration missing --allow-root in inetd.conf" <<EOF
+"error 0 Server configuration missing --allow-root or --allow-root-regexp in 
inetd.conf" <<EOF
 BEGIN AUTH REQUEST
 $CVSROOT_DIRNAME
 testme
@@ -31640,6 +31640,27 @@
 END AUTH REQUEST
 EOF
 
+            regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
+           dotest pserver-3b "${testcvs} --allow-root-regexp=$regexp pserver" \
+"I LOVE YOU" <<EOF
+BEGIN AUTH REQUEST
+${CVSROOT_DIRNAME}
+testme
+Ay::'d
+END AUTH REQUEST
+EOF
+
+            regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
+           dotest_fail pserver-3c "${testcvs} --allow-root-regexp=$regexp 
pserver" \
+"$CPROG pserver: ${CVSROOT_DIRNAME}/subdir: no such repository
+I HATE YOU" <<EOF
+BEGIN AUTH REQUEST
+${CVSROOT_DIRNAME}/subdir
+testme
+Ay::'d
+END AUTH REQUEST
+EOF
+
            # Confirm that not sending a newline during auth cannot constitute
            # a denial-of-service attack.  This assumes that PATH_MAX is less
            # than 65536 bytes.  If PATH_MAX is larger than 65535 bytes, this




reply via email to

[Prev in Thread] Current Thread [Next in Thread]