| blob | 009ec86a2f467b5d4cd28d684745dc274a54d3a2 |
1 Subject: [PATCH] gitweb: avoid implicit use of the shell
3 In the one case where the shell must be run (when using
4 highlight), use an explicitly configured $posix_shell_bin that
5 can be set in GITWEB_CONFIG if necessary to increase security.
7 Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
8 ---
9 gitweb/Makefile | 9 +++++----
10 gitweb/gitweb.perl | 18 ++++++++++++------
11 2 files changed, 17 insertions(+), 10 deletions(-)
13 diff --git a/gitweb/Makefile b/gitweb/Makefile
14 index cd194d05..8aab6c99 100644
15 --- a/gitweb/Makefile
16 +++ b/gitweb/Makefile
17 @@ -16,6 +16,8 @@ gitwebdir ?= /var/www/cgi-bin
19 RM ?= rm -f
20 INSTALL ?= install
21 +SHELL_PATH ?= /bin/sh
22 +PERL_PATH ?= /usr/bin/perl
24 # default configuration for gitweb
25 GITWEB_CONFIG = gitweb_config.perl
26 @@ -38,6 +40,7 @@ GITWEB_SITE_HTML_HEAD_STRING =
27 GITWEB_SITE_HEADER =
28 GITWEB_SITE_FOOTER =
29 HIGHLIGHT_BIN = highlight
30 +POSIX_SHELL_BIN = $(SHELL_PATH)
32 # include user config
33 -include ../config.mak.autogen
34 @@ -52,9 +55,6 @@ HIGHLIGHT_BIN = highlight
36 ### Build rules
38 -SHELL_PATH ?= $(SHELL)
39 -PERL_PATH ?= /usr/bin/perl
40 -
41 # Shell quote;
42 bindir_SQ = $(subst ','\'',$(bindir))#'
43 gitwebdir_SQ = $(subst ','\'',$(gitwebdir))#'
44 @@ -148,7 +148,8 @@ GITWEB_REPLACE = \
45 -e 's|++GITWEB_SITE_HTML_HEAD_STRING++|$(GITWEB_SITE_HTML_HEAD_STRING)|g' \
46 -e 's|++GITWEB_SITE_HEADER++|$(GITWEB_SITE_HEADER)|g' \
47 -e 's|++GITWEB_SITE_FOOTER++|$(GITWEB_SITE_FOOTER)|g' \
48 - -e 's|++HIGHLIGHT_BIN++|$(HIGHLIGHT_BIN)|g'
49 + -e 's|++HIGHLIGHT_BIN++|$(HIGHLIGHT_BIN)|g' \
50 + -e 's|++POSIX_SHELL_BIN++|$(POSIX_SHELL_BIN)|g'
52 GITWEB-BUILD-OPTIONS: FORCE
53 @rm -f $@+
54 diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
55 index 29da752d..18e180e8 100755
56 --- a/gitweb/gitweb.perl
57 +++ b/gitweb/gitweb.perl
58 @@ -203,6 +203,10 @@ our @diff_opts = ('-M'); # taken from git_commit
59 # the gitweb domain.
60 our $prevent_xss = 0;
62 +# Path to a POSIX shell. Needed to run $highlight_bin and a snapshot compressor.
63 +# Only used when highlight is enabled or snapshots with compressors are enabled.
64 +our $posix_shell_bin = "++POSIX_SHELL_BIN++";
65 +
66 # Path to the highlight executable to use (must be the one from
67 # http://www.andre-simon.de due to assumptions about parameters and output).
68 # Useful if highlight is not installed on your webserver's PATH.
69 @@ -4298,9 +4302,10 @@ sub run_highlighter {
70 my ($fd, $syntax) = @_;
71 return $fd unless $fd && !eof($fd) && defined $highlight_bin && defined $syntax;
73 - defined(open my $hifd, quote_command(git_cmd(), "cat-file", "blob", $hash)." | ".
74 - quote_command($highlight_bin).
75 - " --replace-tabs=8 --fragment --syntax $syntax |")
76 + defined(my $hifd = cmd_pipe $posix_shell_bin, '-c',
77 + quote_command(git_cmd(), "cat-file", "blob", $hash)." | ".
78 + quote_command($highlight_bin).
79 + " --replace-tabs=8 --fragment --syntax $syntax")
80 or die_error(500, "Couldn't open file or run syntax highlighter");
81 if (eof $hifd) {
82 # just in case, should not happen as we tested !eof($fd) above
83 @@ -8009,12 +8014,13 @@ sub git_snapshot {
84 my %co = parse_commit($hash);
85 exit_if_unmodified_since($co{'committer_epoch'}) if %co;
87 - my $cmd = quote_command(
88 + my @cmd = (
89 git_cmd(), 'archive',
90 "--format=$known_snapshot_formats{$format}{'format'}",
91 "--prefix=$prefix/", $hash);
92 if (exists $known_snapshot_formats{$format}{'compressor'}) {
93 - $cmd .= ' | ' . quote_command(@{$known_snapshot_formats{$format}{'compressor'}});
94 + @cmd = ($posix_shell_bin, '-c', quote_command(@cmd) .
95 + ' | ' . quote_command(@{$known_snapshot_formats{$format}{'compressor'}}));
96 }
98 $filename =~ s/(["\\])/\\$1/g;
99 @@ -8029,7 +8035,7 @@ sub git_snapshot {
100 %co ? (-last_modified => $latest_date{'rfc2822'}) : (),
101 -status => '200 OK');
103 - defined(my $fd = cmd_pipe $cmd)
104 + defined(my $fd = cmd_pipe @cmd)
105 or die_error(500, "Execute git-archive failed");
106 binmode STDOUT, ':raw';
107 print <$fd>;
108 ---