Commit 39a4a3ea authored by Jacob Vosmaer's avatar Jacob Vosmaer

Use 'git cat-file blob' instead of 'git show'

This is meant as an extra layer of defense against untrusted user
input.
parent a6655446
...@@ -26,10 +26,10 @@ func SendBlob(w http.ResponseWriter, r *http.Request, sendData string) { ...@@ -26,10 +26,10 @@ func SendBlob(w http.ResponseWriter, r *http.Request, sendData string) {
} }
log.Printf("SendBlob: sending %q for %q", params.BlobId, r.URL.Path) log.Printf("SendBlob: sending %q for %q", params.BlobId, r.URL.Path)
gitShowCmd := gitCommand("", "git", "--git-dir="+params.RepoPath, "show", params.BlobId) gitShowCmd := gitCommand("", "git", "--git-dir="+params.RepoPath, "cat-file", "blob", "--", params.BlobId)
stdout, err := gitShowCmd.StdoutPipe() stdout, err := gitShowCmd.StdoutPipe()
if err != nil { if err != nil {
helper.Fail500(w, fmt.Errorf("SendBlob: git show stdout: %v", err)) helper.Fail500(w, fmt.Errorf("SendBlob: git stdout: %v", err))
return return
} }
if err := gitShowCmd.Start(); err != nil { if err := gitShowCmd.Start(); err != nil {
...@@ -39,11 +39,11 @@ func SendBlob(w http.ResponseWriter, r *http.Request, sendData string) { ...@@ -39,11 +39,11 @@ func SendBlob(w http.ResponseWriter, r *http.Request, sendData string) {
defer helper.CleanUpProcessGroup(gitShowCmd) defer helper.CleanUpProcessGroup(gitShowCmd)
if _, err := io.Copy(w, stdout); err != nil { if _, err := io.Copy(w, stdout); err != nil {
helper.LogError(fmt.Errorf("SendBlob: copy git show stdout: %v", err)) helper.LogError(fmt.Errorf("SendBlob: copy git cat-file stdout: %v", err))
return return
} }
if err := gitShowCmd.Wait(); err != nil { if err := gitShowCmd.Wait(); err != nil {
helper.LogError(fmt.Errorf("SendBlob: wait for git show: %v", err)) helper.LogError(fmt.Errorf("SendBlob: wait for git cat-file: %v", err))
return return
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment