git style filename quoting for giveup
When the filenames are part of the git repository or other files that might have attacker-controlled names, quote them in error messages. This is fairly complete, although I didn't do the one in Utility.DirWatcher.INotify.hs because that doesn't have access to Git.Filename or Annex. But it's also quite possible I missed some. And also while scanning for these, I found giveup used with other things that could be attacker controlled to contain control characters (eg Keys). So, I'm thinking it would also be good for giveup to just filter out control characters. This commit is then not the only line of defence, but just good formatting when git-annex displays a filename in an error message. Sponsored-by: Kevin Mueller on Patreon
This commit is contained in:
Joey Hess
parent
da83652c76
commit
063c00e4f7
8 changed files with 79 additions and 30 deletions
|
|
@ -5,7 +5,7 @@
|
|||
- Licensed under the GNU AGPL version 3 or higher.
|
||||
-}
|
||||
|
||||
{-# LANGUAGE ApplicativeDo #-}
|
||||
{-# LANGUAGE ApplicativeDo, OverloadedStrings #-}
|
||||
|
||||
module Command.Import where
|
||||
|
||||
|
|
@ -31,6 +31,7 @@ import Annex.RemoteTrackingBranch
|
|||
import Utility.InodeCache
|
||||
import Logs.Location
|
||||
import Git.FilePath
|
||||
import Git.Filename
|
||||
import Git.Types
|
||||
import Types.Import
|
||||
import Utility.Metered
|
||||
|
|
@ -125,7 +126,10 @@ seek o@(LocalImportOptions {}) = startConcurrency commandStages $ do
|
|||
inrepops <- liftIO $ filter (dirContains repopath)
|
||||
<$> mapM (absPath . toRawFilePath) (importFiles o)
|
||||
unless (null inrepops) $ do
|
||||
giveup $ "cannot import files from inside the working tree (use git annex add instead): " ++ unwords (map fromRawFilePath inrepops)
|
||||
qp <- coreQuotePath <$> Annex.getGitConfig
|
||||
giveup $ decodeBS $ quote qp $
|
||||
"cannot import files from inside the working tree (use git annex add instead): "
|
||||
<> quotedPaths inrepops
|
||||
largematcher <- largeFilesMatcher
|
||||
addunlockedmatcher <- addUnlockedMatcher
|
||||
(commandAction . startLocal o addunlockedmatcher largematcher (duplicateMode o))
|
||||
|
|
@ -221,7 +225,8 @@ startLocal o addunlockedmatcher largematcher mode (srcfile, destfile) =
|
|||
checkLockedDownWritePerms destfile srcfile >>= \case
|
||||
Just err -> do
|
||||
liftIO unwind
|
||||
giveup err
|
||||
qp <- coreQuotePath <$> Annex.getGitConfig
|
||||
giveup (decodeBS $ quote qp err)
|
||||
Nothing -> noop
|
||||
-- Get the inode cache of the dest file. It should be
|
||||
-- weakly the same as the originally locked down file's
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue