Merge pull request #4075 from libgit2/cmn/sec-update-24
Security updates for v0.24
diff --git a/include/git2/version.h b/include/git2/version.h
index 5e06032..226281a 100644
--- a/include/git2/version.h
+++ b/include/git2/version.h
@@ -7,10 +7,10 @@
#ifndef INCLUDE_git_version_h__
#define INCLUDE_git_version_h__
-#define LIBGIT2_VERSION "0.24.5"
+#define LIBGIT2_VERSION "0.24.6"
#define LIBGIT2_VER_MAJOR 0
#define LIBGIT2_VER_MINOR 24
-#define LIBGIT2_VER_REVISION 5
+#define LIBGIT2_VER_REVISION 6
#define LIBGIT2_VER_PATCH 0
#define LIBGIT2_SOVERSION 24
diff --git a/src/transports/http.c b/src/transports/http.c
index f0efd95..b4418f6 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -602,13 +602,12 @@
if ((!error || error == GIT_ECERTIFICATE) && t->owner->certificate_check_cb != NULL &&
git_stream_is_encrypted(t->io)) {
git_cert *cert;
- int is_valid;
+ int is_valid = (error == GIT_OK);
if ((error = git_stream_certificate(&cert, t->io)) < 0)
return error;
giterr_clear();
- is_valid = error != GIT_ECERTIFICATE;
error = t->owner->certificate_check_cb(cert, is_valid, t->connection_data.host, t->owner->message_cb_payload);
if (error < 0) {
diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c
index 2297cc9..e05196c 100644
--- a/src/transports/smart_pkt.c
+++ b/src/transports/smart_pkt.c
@@ -427,15 +427,23 @@
if (bufflen > 0 && bufflen < (size_t)len)
return GIT_EBUFS;
+ /*
+ * The length has to be exactly 0 in case of a flush
+ * packet or greater than PKT_LEN_SIZE, as the decoded
+ * length includes its own encoded length of four bytes.
+ */
+ if (len != 0 && len < PKT_LEN_SIZE)
+ return GIT_ERROR;
+
line += PKT_LEN_SIZE;
/*
- * TODO: How do we deal with empty lines? Try again? with the next
- * line?
+ * The Git protocol does not specify empty lines as part
+ * of the protocol. Not knowing what to do with an empty
+ * line, we should return an error upon hitting one.
*/
if (len == PKT_LEN_SIZE) {
- *head = NULL;
- *out = line;
- return 0;
+ giterr_set_str(GITERR_NET, "Invalid empty packet");
+ return GIT_ERROR;
}
if (len == 0) { /* Flush pkt */
diff --git a/src/transports/smart_protocol.c b/src/transports/smart_protocol.c
index 3448fa7..02e1ecf 100644
--- a/src/transports/smart_protocol.c
+++ b/src/transports/smart_protocol.c
@@ -759,14 +759,6 @@
line_len -= (line_end - line);
line = line_end;
- /* When a valid packet with no content has been
- * read, git_pkt_parse_line does not report an
- * error, but the pkt pointer has not been set.
- * Handle this by skipping over empty packets.
- */
- if (pkt == NULL)
- continue;
-
error = add_push_report_pkt(push, pkt);
git_pkt_free(pkt);
@@ -821,9 +813,6 @@
error = 0;
- if (pkt == NULL)
- continue;
-
switch (pkt->type) {
case GIT_PKT_DATA:
/* This is a sideband packet which contains other packets */
diff --git a/tests/online/badssl.c b/tests/online/badssl.c
index 66b090d..aa4c24d 100644
--- a/tests/online/badssl.c
+++ b/tests/online/badssl.c
@@ -10,37 +10,71 @@
static bool g_has_ssl = false;
#endif
+static int cert_check_assert_invalid(git_cert *cert, int valid, const char* host, void *payload)
+{
+ GIT_UNUSED(cert); GIT_UNUSED(host); GIT_UNUSED(payload);
+
+ cl_assert_equal_i(0, valid);
+
+ return GIT_ECERTIFICATE;
+}
+
void test_online_badssl__expired(void)
{
+ git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+ opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
if (!g_has_ssl)
cl_skip();
cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", NULL));
+
+ cl_git_fail_with(GIT_ECERTIFICATE,
+ git_clone(&g_repo, "https://expired.badssl.com/fake.git", "./fake", &opts));
}
void test_online_badssl__wrong_host(void)
{
+ git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+ opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
if (!g_has_ssl)
cl_skip();
cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", NULL));
+ cl_git_fail_with(GIT_ECERTIFICATE,
+ git_clone(&g_repo, "https://wrong.host.badssl.com/fake.git", "./fake", &opts));
}
void test_online_badssl__self_signed(void)
{
+ git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+ opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
if (!g_has_ssl)
cl_skip();
cl_git_fail_with(GIT_ECERTIFICATE,
git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", NULL));
+ cl_git_fail_with(GIT_ECERTIFICATE,
+ git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", &opts));
}
void test_online_badssl__old_cipher(void)
{
+ git_clone_options opts = GIT_CLONE_OPTIONS_INIT;
+ opts.fetch_opts.callbacks.certificate_check = cert_check_assert_invalid;
+
+ /* FIXME: we don't actually reject RC4 anywhere, figure out what to tweak */
+ cl_skip();
+
if (!g_has_ssl)
cl_skip();
- cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", NULL));
+ cl_git_fail_with(GIT_ECERTIFICATE,
+ git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", NULL));
+ cl_git_fail_with(GIT_ECERTIFICATE,
+ git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", &opts));
}
