[PATCH] Sanitize escape char sequences coming from server

Thu, 21 Jun 2018 05:10:59 -0700 

From: Sebastian Kisela <skis...@redhat.com>

Fix volnurability against MITM attacks on client side
by replacing non printable and non white space characters
by "?".

Fixes: CVE-2018-1000021
Signed-off-by: Sebastian Kisela <skis...@redhat.com>
---
 sideband.c              | 20 ++++++++++++++++++++
 t/t5401-update-hooks.sh | 23 +++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/sideband.c b/sideband.c
index 325bf0e97..8c9d74ace 100644
--- a/sideband.c
+++ b/sideband.c
@@ -1,3 +1,4 @@
+#include <wchar.h>
 #include "cache.h"
 #include "pkt-line.h"
 #include "sideband.h"
@@ -18,6 +19,20 @@
 #define ANSI_SUFFIX "\033[K"
 #define DUMB_SUFFIX "        "
 
+int sanitize_server_message(struct strbuf *outbuf)
+{
+       wchar_t *wcstring = xmalloc(sizeof(wchar_t) * outbuf->len);
+       int len = mbstowcs(wcstring, outbuf->buf, outbuf->len);
+       if (len == -1)
+               return 1;
+       for(int i = 0; i <= len; i++)
+               if(!isprint(wcstring[i]) && !isspace(wcstring[i]) )
+                       wcstring[i] = '?';
+               if (wcstombs(outbuf->buf, wcstring, outbuf->len) == -1)
+                       return 1;
+       return 0;
+}
+
 int recv_sideband(const char *me, int in_stream, int out)
 {
        const char *suffix;
@@ -74,6 +89,9 @@ int recv_sideband(const char *me, int in_stream, int out)
                                } else {
                                        strbuf_addch(&outbuf, *brk);
                                }
+
+                               if (sanitize_server_message(&outbuf))
+                                       retval = SIDEBAND_REMOTE_ERROR;
                                xwrite(2, outbuf.buf, outbuf.len);
                                strbuf_reset(&outbuf);
 
@@ -97,6 +115,8 @@ int recv_sideband(const char *me, int in_stream, int out)
 
        if (outbuf.len) {
                strbuf_addch(&outbuf, '\n');
+               if (sanitize_server_message(&outbuf))
+                       retval = SIDEBAND_REMOTE_ERROR;
                xwrite(2, outbuf.buf, outbuf.len);
        }
        strbuf_release(&outbuf);
diff --git a/t/t5401-update-hooks.sh b/t/t5401-update-hooks.sh
index 7f278d8ce..cc1f6ca29 100755
--- a/t/t5401-update-hooks.sh
+++ b/t/t5401-update-hooks.sh
@@ -148,4 +148,27 @@ test_expect_success 'pre-receive hook that forgets to read 
its input' '
        git push ./victim.git "+refs/heads/*:refs/heads/*"
 '
 
+cat <<EOF >expect
+remote: foo?[0;31mbar?[0m
+To ./victim.git
+ * [new branch]      victim_branch -> victim_branch
+EOF
+cat >victim.git/hooks/pre-receive <<'EOF'
+#!/bin/sh
+  printf "foo\033[0;31mbar\033[0m"
+  exit 0
+EOF
+chmod u+x victim.git/hooks/pre-receive
+test_expect_success 'pre-receive stderr contains ANSI colors' '
+       rm -f victim.git/hooks/update victim.git/hooks/post-receive &&
+
+  git branch victim_branch master &&
+       git push ./victim.git 
"+refs/heads/victim_branch:refs/heads/victim_branch"\
+    >send.out 2>send.err &&
+
+  cat send.err > actual &&
+
+  test_cmp expect actual
+'
+
 test_done
-- 
2.14.4

Reply via email to