summaryrefslogtreecommitdiffstats
path: root/daemon.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'dm/ni-maxhost-may-be-missing' into maint-1.8.1Junio C Hamano2013-03-251-4/+0
|\ | | | | | | | | | | | | | | Some sources failed to compile on systems that lack NI_MAXHOST in their system header. * dm/ni-maxhost-may-be-missing: git-compat-util.h: Provide missing netdb.h definitions
| * git-compat-util.h: Provide missing netdb.h definitionsDavid Michael2013-02-251-4/+0
| | | | | | | | | | | | | | | | Some platforms may lack the NI_MAXHOST and NI_MAXSERV values in their system headers, so ensure they are available. Signed-off-by: David Michael <fedora.dm0@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: --access-hook optionJunio C Hamano2012-08-151-0/+77
|/ | | | | | | | | | | | | | | | | | | | | | | | | The --access-hook option to "git daemon" specifies an external command to be run every time a client connects, with - service name (e.g. "upload-pack", etc.), - path to the repository, - hostname (%H), - canonical hostname (%CH), - ip address (%IP), - tcp port (%P) as its command line arguments. The external command can decide to decline the service by exiting with a non-zero status (or to allow it by exiting with a zero status). It can also look at the $REMOTE_ADDR and $REMOTE_PORT environment variables to learn about the requestor when making this decision. The external command can optionally write a single line to its standard output to be sent to the requestor as an error message when it declines the service. Acked-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* git-daemon: produce output when readyClemens Buchacher2012-01-091-3/+3
| | | | | | | | | | | If a client tries to connect after git-daemon starts, but before it opens a listening socket, the connection will fail. Output "[PID] Ready to rumble]" after opening the socket successfully in order to inform the user that the daemon is now ready to receive connections. Signed-off-by: Clemens Buchacher <drizzd@aon.at> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* i18n: add infrastructure for translating Git with gettextÆvar Arnfjörð Bjarmason2011-12-061-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change the skeleton implementation of i18n in Git to one that can show localized strings to users for our C, Shell and Perl programs using either GNU libintl or the Solaris gettext implementation. This new internationalization support is enabled by default. If gettext isn't available, or if Git is compiled with NO_GETTEXT=YesPlease, Git falls back on its current behavior of showing interface messages in English. When using the autoconf script we'll auto-detect if the gettext libraries are installed and act appropriately. This change is somewhat large because as well as adding a C, Shell and Perl i18n interface we're adding a lot of tests for them, and for those tests to work we need a skeleton PO file to actually test translations. A minimal Icelandic translation is included for this purpose. Icelandic includes multi-byte characters which makes it easy to test various edge cases, and it's a language I happen to understand. The rest of the commit message goes into detail about various sub-parts of this commit. = Installation Gettext .mo files will be installed and looked for in the standard $(prefix)/share/locale path. GIT_TEXTDOMAINDIR can also be set to override that, but that's only intended to be used to test Git itself. = Perl Perl code that's to be localized should use the new Git::I18n module. It imports a __ function into the caller's package by default. Instead of using the high level Locale::TextDomain interface I've opted to use the low-level (equivalent to the C interface) Locale::Messages module, which Locale::TextDomain itself uses. Locale::TextDomain does a lot of redundant work we don't need, and some of it would potentially introduce bugs. It tries to set the $TEXTDOMAIN based on package of the caller, and has its own hardcoded paths where it'll search for messages. I found it easier just to completely avoid it rather than try to circumvent its behavior. In any case, this is an issue wholly internal Git::I18N. Its guts can be changed later if that's deemed necessary. See <AANLkTilYD_NyIZMyj9dHtVk-ylVBfvyxpCC7982LWnVd@mail.gmail.com> for a further elaboration on this topic. = Shell Shell code that's to be localized should use the git-sh-i18n library. It's basically just a wrapper for the system's gettext.sh. If gettext.sh isn't available we'll fall back on gettext(1) if it's available. The latter is available without the former on Solaris, which has its own non-GNU gettext implementation. We also need to emulate eval_gettext() there. If neither are present we'll use a dumb printf(1) fall-through wrapper. = About libcharset.h and langinfo.h We use libcharset to query the character set of the current locale if it's available. I.e. we'll use it instead of nl_langinfo if HAVE_LIBCHARSET_H is set. The GNU gettext manual recommends using langinfo.h's nl_langinfo(CODESET) to acquire the current character set, but on systems that have libcharset.h's locale_charset() using the latter is either saner, or the only option on those systems. GNU and Solaris have a nl_langinfo(CODESET), FreeBSD can use either, but MinGW and some others need to use libcharset.h's locale_charset() instead. =Credits This patch is based on work by Jeff Epler <jepler@unpythonic.net> who did the initial Makefile / C work, and a lot of comments from the Git mailing list, including Jonathan Nieder, Jakub Narebski, Johannes Sixt, Erik Faye-Lund, Peter Krefting, Junio C Hamano, Thomas Rast and others. [jc: squashed a small Makefile fix from Ramsay] Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'jk/daemon-msgs'Junio C Hamano2011-10-221-8/+21
|\ | | | | | | | | | | | | | | * jk/daemon-msgs: daemon: give friendlier error messages to clients Conflicts: daemon.c
| * daemon: give friendlier error messages to clientsJeff King2011-10-161-4/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the git-daemon is asked about an inaccessible repository, it simply hangs up the connection without saying anything further. This makes it hard to distinguish between a repository we cannot access (e.g., due to typo), and a service or network outage. Instead, let's print an "ERR" line, which git clients understand since v1.6.1 (2008-12-24). Because there is a risk of leaking information about non-exported repositories, by default all errors simply say "access denied or repository not exported". Sites which don't have hidden repositories, or don't care, can pass a flag to turn on more specific messages. Signed-off-by: Jeff King <peff@peff.net> Helped-by: Sitaram Chamarty <sitaramc@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Merge branch 'ph/transport-with-gitfile'Junio C Hamano2011-10-221-2/+2
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | * ph/transport-with-gitfile: Fix is_gitfile() for files too small or larger than PATH_MAX to be a gitfile Add test showing git-fetch groks gitfiles Teach transport about the gitfile mechanism Learn to handle gitfiles in enter_repo enter_repo: do not modify input
| * | enter_repo: do not modify inputErik Faye-Lund2011-10-041-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | entr_repo(..., 0) currently modifies the input to strip away trailing slashes. This means that we some times need to copy the input to keep the original. Change it to unconditionally copy it into the used_path buffer so we can safely use the input without having to copy it. Also store a working copy in validated_path up-front before we start resolving anything. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Phil Hord <hordp@cisco.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Merge branch 'nd/git-daemon-error-msgs'Junio C Hamano2011-10-141-4/+8
|\ \ | | | | | | | | | | | | * nd/git-daemon-error-msgs: daemon: return "access denied" if a service is not allowed
| * | daemon: return "access denied" if a service is not allowedNguyễn Thái Ngọc Duy2011-10-041-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | The message is chosen to avoid leaking information, yet let users know that they are deliberately not allowed to use the service, not a fault in service configuration or the service itself. Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | daemon: log errors if we could not use some socketsNguyễn Thái Ngọc Duy2011-10-041-0/+37
| |/ |/| | | | | | | Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Fix sparse warningsStephen Boyd2011-03-221-1/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix warnings from 'make check'. - These files don't include 'builtin.h' causing sparse to complain that cmd_* isn't declared: builtin/clone.c:364, builtin/fetch-pack.c:797, builtin/fmt-merge-msg.c:34, builtin/hash-object.c:78, builtin/merge-index.c:69, builtin/merge-recursive.c:22 builtin/merge-tree.c:341, builtin/mktag.c:156, builtin/notes.c:426 builtin/notes.c:822, builtin/pack-redundant.c:596, builtin/pack-refs.c:10, builtin/patch-id.c:60, builtin/patch-id.c:149, builtin/remote.c:1512, builtin/remote-ext.c:240, builtin/remote-fd.c:53, builtin/reset.c:236, builtin/send-pack.c:384, builtin/unpack-file.c:25, builtin/var.c:75 - These files have symbols which should be marked static since they're only file scope: submodule.c:12, diff.c:631, replace_object.c:92, submodule.c:13, submodule.c:14, trace.c:78, transport.c:195, transport-helper.c:79, unpack-trees.c:19, url.c:3, url.c:18, url.c:104, url.c:117, url.c:123, url.c:129, url.c:136, thread-utils.c:21, thread-utils.c:48 - These files redeclare symbols to be different types: builtin/index-pack.c:210, parse-options.c:564, parse-options.c:571, usage.c:49, usage.c:58, usage.c:63, usage.c:72 - These files use a literal integer 0 when they really should use a NULL pointer: daemon.c:663, fast-import.c:2942, imap-send.c:1072, notes-merge.c:362 While we're in the area, clean up some unused #includes in builtin files (mostly exec_cmd.h). Signed-off-by: Stephen Boyd <bebarino@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* daemon: support <directory> arguments againJonathan Nieder2011-01-041-3/+4
| | | | | | | | | | | | | | | | | | | | | | Ever since v1.7.4-rc0~125^2~8 (daemon: use run-command api for async serving, 2010-11-04), git daemon spawns child processes instead of forking to serve requests. The child processes learn that they are being run for this purpose from the presence of the --serve command line flag. When running with <ok_path> arguments, the --serve flag is treated as one of the path arguments and the special child behavior does not kick in. So the child becomes an ordinary git daemon process, notices that all the addresses it needs are in use, and exits with the message "fatal: unable to allocate any listen sockets on port 9418". Fix it by putting --serve at the beginning of the command line, where the flag cannot be mistaken for a path argument. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Acked-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'md/interix'Junio C Hamano2010-11-301-0/+4
|\ | | | | | | | | | | | | | | | | * md/interix: Interix: add configure checks add support for the SUA layer (interix; windows) Conflicts: git-compat-util.h
| * add support for the SUA layer (interix; windows)Markus Duft2010-10-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | * add required build options to Makefile. * introduce new NO_INTTYPES_H for systems lacking inttypes; code includes stdint.h instead, if this is set. * introduce new NO_SYS_POLL_H for systems lacking sys/poll.h; code includes poll.h instead, if this is set. * introduce NO_INITGROUPS. initgroups() call is simply omitted. Signed-off-by: Markus Duft <mduft@gentoo.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: opt-out on features that require posixErik Faye-Lund2010-11-051-24/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | Windows does not supply the POSIX-functions fork(), setuuid(), setgid(), setsid() and initgroups(). Error out if --user or --detach is specified when if so. MinGW doesn't have prototypes and headers for inet_ntop and inet_pton, so include our implementation instead. MSVC does, so avoid doing so there. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: make --inetd and --detach incompatibleErik Faye-Lund2010-11-051-4/+4
| | | | | | | | | | | | | | | | | | | | Since --inetd makes main return with the result of execute() before daemonize is gets called, these two options are already incompatible. Document it, and add an error if attempted. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: use socklen_tErik Faye-Lund2010-11-051-3/+3
| | | | | | | | | | | | | | | | | | | | | | Windows's accept()-function takes the last argument as an int, but glibc takes an unsigned int. Use socklen_t to get rid of a warning. This is basically a revert of 7fa0908, but we have already been depending on socklen_t existing since June 2006 (commit 5b276ee4). I guess this means that socklen_t IS defined on OSX after all - at least in recent headers. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: get remote host address from root-processErik Faye-Lund2010-11-051-40/+39
| | | | | | | | | | | | | | | | | | | | | | | | Get remote host in the process that accept() and pass it through the REMOTE_ADDR environment variable to the handler-process. Introduce the REMOTE_PORT environmen variable for the port. Use these variables for reporting instead of doing getpeername(0, ...), which doesn't work on Windows. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: use full buffered mode for stderrErik Faye-Lund2010-11-051-2/+4
| | | | | | | | | | | | | | | | | | | | Windows doesn't support line buffered mode for file streams, so let's just use full buffered mode with a big buffer ("4096 should be enough for everyone") and add explicit flushing. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: use run-command api for async servingErik Faye-Lund2010-11-051-46/+47
| | | | | | | | | | | | | | | | | | | | | | | | fork() is only available on POSIX, so to support git-daemon on Windows we have to use something else. Instead we invent the flag --serve, which is a stripped down version of --inetd-mode. We use start_command() to call git-daemon with this flag appended to serve clients. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | mingw: implement syslogMike Pape2010-11-051-2/+0
|/ | | | | | | | | | | | | | | Syslog does not usually exist on Windows, so implement our own using Window's ReportEvent mechanism. Strings containing "%1" gets expanded into them selves by ReportEvent, resulting in an unreadable string. "%2" and above is not a problem. Unfortunately, on Windows an IPv6 address can contain "%1", so expand "%1" to "% 1" before reporting. "%%1" is also a problem for ReportEvent, but that string cannot occur in an IPv6 address. Signed-off-by: Mike Pape <dotzenlabs@gmail.com> Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'as/daemon-multi-listen'Junio C Hamano2010-10-271-27/+53
|\ | | | | | | | | | | * as/daemon-multi-listen: daemon: allow more than one host address given via --listen daemon: add helper function named_sock_setup
| * daemon: allow more than one host address given via --listenAlexander Sulfrian2010-09-281-9/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the host has more than one interfaces, daemon can listen to all of them by not giving any --listen option, or listen to only one. Teach it to accept more than one --listen options. Remove the hostname information form the die, if no socket could be created. It would only trigger when no interface out of either all interface or the ones specified on the command line with --listen options, can be listened to and so the user does know which "host" was asked. Signed-off-by: Alexander Sulfrian <alexander@sulfrian.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
| * daemon: add helper function named_sock_setupAlexander Sulfrian2010-09-281-20/+33
| | | | | | | | | | | | | | | | | | | | Add named_sock_setup as helper function for socksetup to make it easier to create more than one listen sockets. named_sock_setup could be called more than one time and add the new sockets to the supplied socklist_p. Signed-off-by: Alexander Sulfrian <alexander@sulfrian.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Use angles for placeholders consistentlyŠtěpán Němec2010-10-081-9/+9
|/ | | | | | Signed-off-by: Štěpán Němec <stepnem@gmail.com> Acked-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Rewrite dynamic structure initializations to runtime assignmentGary V. Vaughan2010-06-011-10/+11
| | | | | | | | | | | | | | | | Unfortunately, there are still plenty of production systems with vendor compilers that choke unless all compound declarations can be determined statically at compile time, for example hpux10.20 (I can provide a comprehensive list of our supported platforms that exhibit this problem if necessary). This patch simply breaks apart any compound declarations with dynamic initialisation expressions, and moves the initialisation until after the last declaration in the same block, in all the places necessary to have the offending compilers accept the code. Signed-off-by: Gary V. Vaughan <gary@thewrittenword.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'bc/maint-daemon-sans-ss-family'Junio C Hamano2010-04-031-4/+7
|\ | | | | | | | | * bc/maint-daemon-sans-ss-family: daemon.c: avoid accessing ss_family member of struct sockaddr_storage
| * daemon.c: avoid accessing ss_family member of struct sockaddr_storageBrandon Casey2010-03-171-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When NO_SOCKADDR_STORAGE is set for a platform, either sockaddr_in or sockaddr_in6 is used intead. Neither of which has an ss_family member. They have an sin_family and sin6_family member respectively. Since the addrcmp() function accesses the ss_family member of a sockaddr_storage struct, compilation fails on platforms which define NO_SOCKADDR_STORAGE. Since any sockaddr_* structure can be cast to a struct sockaddr and have its sa_family member read, do so here to workaround this issue. Thanks to Martin Storsjö for pointing out the fix, and Gary Vaughan for drawing attention to the issue. Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | daemon: parse_host_and_port SIGSEGV if port is specifiedImre Deak2010-03-201-1/+1
|/ | | | | | | | | | | | | | | | | | | This typo will lead to git-daemon dying any time the connect string includes a port after the host= attribute. This can lead for example to one of the following error messages on the client side when someone tries git clone git://...:<port>. When the daemon is running on localhost: fatal: The remote end hung up unexpectedly or when the daemon is connected through an ssh tunnel: fatal: protocol error: bad line length character: erro In the latter case 'erro' comes from the daemon's reply: error: git-daemon died of signal 11 Signed-off-by: Imre Deak <imre.deak@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Typofixes outside documentation areaJunio C Hamano2010-02-041-1/+1
| | | | | | | | | | | | | | | | | | | begining -> beginning canonicalizations -> canonicalization comand -> command dewrapping -> unwrapping dirtyness -> dirtiness DISCLAMER -> DISCLAIMER explicitely -> explicitly feeded -> fed impiled -> implied madatory -> mandatory mimick -> mimic preceeding -> preceding reqeuest -> request substition -> substitution Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'il/maint-colon-address'Junio C Hamano2010-01-271-4/+30
|\ | | | | | | | | | | * il/maint-colon-address: Allow use of []-wrapped addresses in git:// Support addresses with ':' in git-daemon
| * Support addresses with ':' in git-daemonIlari Liusvaara2010-01-261-4/+30
| | | | | | | | | | | | | | | | | | | | | | | | If host address could have ':' in it (e.g. numeric IPv6 address), then host and port could not be uniquely parsed. Fix this by parsing the "["<host>"]":<port> and "["<host>"]" notations. Currently the built-in git:// client would send <host>:<port> or <host> for such thing, but it doesn't matter as due to bugs, resolving address fails if <host> contains ':'. Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Merge branch 'jk/warn-author-committer-after-commit'Junio C Hamano2010-01-201-1/+0
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * jk/warn-author-committer-after-commit: user_ident_sufficiently_given(): refactor the logic to be usable from elsewhere commit.c::print_summary: do not release the format string too early commit: allow suppression of implicit identity advice commit: show interesting ident information in summary strbuf: add strbuf_addbuf_percentquote strbuf_expand: convert "%%" to "%" Conflicts: builtin-commit.c ident.c
| * | strbuf_expand: convert "%%" to "%"Jeff King2010-01-141-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The only way to safely quote arbitrary text in a pretty-print user format is to replace instances of "%" with "%x25". This is slightly unreadable, and many users would expect "%%" to produce a single "%", as that is what printf format specifiers do. This patch converts "%%" to "%" for all users of strbuf_expand(): (1) git-daemon interpolated paths (2) pretty-print user formats (3) merge driver command lines Case (1) was already doing the conversion itself outside of strbuf_expand(). Case (2) is the intended beneficiary of this patch. Case (3) users probably won't notice, but as this is user-facing behavior, consistently providing the quoting mechanism makes sense. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | daemon: consider only address in kill_some_child()Erik Faye-Lund2010-01-101-8/+20
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | kill_some_child() compares the entire sockaddr_storage structure (with the pad-bits zeroed out) when trying to find out if connections originate from the same host. However, sockaddr_storage contains the port-number for the connection (which varies between connections), so the comparison always fails. Change the code so we only consider the host-address, by introducing the addrcmp()-function that inspects the address family and compare as appropriate. Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Merge branch 'tc/format-attribute'Junio C Hamano2009-11-231-0/+2
|\ \ | | | | | | | | | | | | * tc/format-attribute: Check the format of more printf-type functions
| * | Check the format of more printf-type functionsTarmigan Casebolt2009-11-161-0/+2
| |/ | | | | | | | | | | | | | | | | | | | | We already have these checks in many printf-type functions that have prototypes which are in header files. Add these same checks to some more prototypes in header functions and to static functions in .c files. cc: Miklos Vajna <vmiklos@frugalware.org> Signed-off-by: Tarmigan Casebolt <tarmigan+git@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* / http-backend: Protect GIT_PROJECT_ROOT from /../ requestsShawn O. Pearce2009-11-101-48/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | Eons ago HPA taught git-daemon how to protect itself from /../ attacks, which Junio brought back into service in d79374c7b58d ("daemon.c and path.enter_repo(): revamp path validation"). I did not carry this into git-http-backend as originally we relied only upon PATH_TRANSLATED, and assumed the HTTP server had done its access control checks to validate the resolved path was within a directory permitting access from the remote client. This would usually be sufficient to protect a server from requests for its /etc/passwd file by http://host/smart/../etc/passwd sorts of URLs. However in 917adc036086 Mark Lodato added GIT_PROJECT_ROOT as an additional method of configuring the CGI. When this environment variable is used the web server does not generate the final access path and therefore may blindly pass through "/../etc/passwd" in PATH_INFO under the assumption that "/../" might have special meaning to the invoked CGI. Instead of permitting these sorts of malformed path requests, we now reject them back at the client, with an error message for the server log. This matches git-daemon behavior. Signed-off-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'tr/die_errno'Junio C Hamano2009-07-061-8/+7
|\ | | | | | | | | | | | | | | * tr/die_errno: Use die_errno() instead of die() when checking syscalls Convert existing die(..., strerror(errno)) to die_errno() die_errno(): double % in strerror() output just in case Introduce die_errno() that appends strerror(errno) to die()
| * Convert existing die(..., strerror(errno)) to die_errno()Thomas Rast2009-06-271-8/+7
| | | | | | | | | | | | | | | | | | | | | | Change calls to die(..., strerror(errno)) to use the new die_errno(). In the process, also make slight style adjustments: at least state _something_ about the function that failed (instead of just printing the pathname), and put paths in single quotes. Signed-off-by: Thomas Rast <trast@student.ethz.ch> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Merge branch 'js/daemon-log'Junio C Hamano2009-07-021-8/+48
|\ \ | | | | | | | | | | | | | | | | | | * js/daemon-log: receive-pack: do not send error details to the client upload-pack: squelch progress indicator if client cannot see it daemon: send stderr of service programs to the syslog
| * | daemon: send stderr of service programs to the syslogJohannes Sixt2009-06-181-8/+48
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If git-daemon is run with --detach or --inetd, then stderr is explicitly redirected to /dev/null. But notice that the service programs were spawned via execl_git_cmd(), in particular, the stderr channel is inherited from the daemon. This means that errors that the programs wrote to stderr (for example, via die()), went to /dev/null. This patch arranges that the daemon does not merely exec the service program, but forks it and monitors stderr of the child; it writes the errors that it produces to the daemons log via logerror(). A consequence is that the daemon process remains in memory for the full duration of the service program, but this cannot be avoided. Signed-off-by: Johannes Sixt <j6t@kdbg.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* / Fix various sparse warnings in the git source codeLinus Torvalds2009-06-211-1/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are a few remaining ones, but this fixes the trivial ones. It boils down to two main issues that sparse complains about: - warning: Using plain integer as NULL pointer Sparse doesn't like you using '0' instead of 'NULL'. For various good reasons, not the least of which is just the visual confusion. A NULL pointer is not an integer, and that whole "0 works as NULL" is a historical accident and not very pretty. A few of these remain: zlib is a total mess, and Z_NULL is just a 0. I didn't touch those. - warning: symbol 'xyz' was not declared. Should it be static? Sparse wants to see declarations for any functions you export. A lack of a declaration tends to mean that you should either add one, or you should mark the function 'static' to show that it's in file scope. A few of these remain: I only did the ones that should obviously just be made static. That 'wt_status_submodule_summary' one is debatable. It has a few related flags (like 'wt_status_use_color') which _are_ declared, and are used by builtin-commit.c. So maybe we'd like to export it at some point, but it's not declared now, and not used outside of that file, so 'static' it is in this patch. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* daemon: Strictly parse the "extra arg" part of the commandShawn O. Pearce2009-06-061-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since 1.4.4.5 (49ba83fb67 "Add virtualization support to git-daemon") git daemon enters an infinite loop and never terminates if a client hides any extra arguments in the initial request line which is not exactly "\0host=blah\0". Since that change, a client must never insert additional extra arguments, or attempt to use any argument other than "host=", as any daemon will get stuck parsing the request line and will never complete the request. Since the client can't tell if the daemon is patched or not, it is not possible to know if additional extra args might actually be able to be safely requested. If we ever need to extend the git daemon protocol to support a new feature, we may have to do something like this to the exchange: # If both support git:// v2 # C: 000cgit://v2 S: 0010ok host user C: 0018host git.kernel.org C: 0027git-upload-pack /pub/linux-2.6.git S: ...git-upload-pack header... # If client supports git:// v2, server does not: # C: 000cgit://v2 S: <EOF> C: 003bgit-upload-pack /pub/linux-2.6.git\0host=git.kernel.org\0 S: ...git-upload-pack header... This requires the client to create two TCP connections to talk to an older git daemon, however all daemons since the introduction of daemon.c will safely reject the unknown "git://v2" command request, so the client can quite easily determine the server supports an older protocol. Signed-off-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* daemon.c: fix segfault on OS XBenjamin Kramer2009-04-301-14/+14
| | | | | | | | | | | | | | | | | | On OS X (and maybe other unices), getaddrinfo(3) returns NULL in the ai_canonname field if it's called with an IP address for the hostname. We'll now use the IP address for the hostname if ai_canonname was NULL, this also matches the behaviour on Linux. steps to reproduce: $ git daemon --export-all $ git clone git://127.0.0.1/frotz => git daemon's fork (silently) segfaults. Remove the pointless loop while at it. There is only one iteration because of the break; on the last line and there are no continues. Signed-off-by: Benjamin Kramer <benny.kra@googlemail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* improve missing repository error messageJeff King2009-03-051-1/+1
| | | | | | | | | | | | | | | | Certain remote commands, when asked to do something in a particular directory that was not actually a git repository, would say "unable to chdir or not a git archive". The "chdir" bit is an unnecessary detail, and the term "git archive" is much less common these days than "git repository". So let's switch them all to: fatal: '%s' does not appear to be a git repository Signed-off-by: Jeff King <peff@peff.net> Acked-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Add calls to git_extract_argv0_path() in programs that call git_config_*Steffen Prohaska2009-01-261-0/+2
| | | | | | | | | | | | Programs that use git_config need to find the global configuration. When runtime prefix computation is enabled, this requires that git_extract_argv0_path() is called early in the program's main(). This commit adds the necessary calls. Signed-off-by: Steffen Prohaska <prohaska@zib.de> Acked-by: Johannes Sixt <j6t@kdbg.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* remove trailing LF in die() messagesAlexander Potashev2009-01-051-1/+1
| | | | | | | | LF at the end of format strings given to die() is redundant because die already adds one on its own. Signed-off-by: Alexander Potashev <aspotashev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>