diff options
| author | Shawn Pearce <spearce@spearce.org> | 2013-01-31 13:02:07 -0800 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2013-02-04 10:22:36 -0800 |
| commit | 4656bf47fca857df51b5d6f4b7b052192b3b2317 (patch) | |
| tree | 91e4d6cf951f2964de99d454ec89e426753ac453 /http-push.c | |
| parent | e1b6ff44d61bcdd91280c3f7c3c5ace32d4b7c52 (diff) | |
| download | git-4656bf47fca857df51b5d6f4b7b052192b3b2317.tar.gz | |
Verify Content-Type from smart HTTP servers
Before parsing a suspected smart-HTTP response verify the returned
Content-Type matches the standard. This protects a client from
attempting to process a payload that smells like a smart-HTTP
server response.
JGit has been doing this check on all responses since the dawn of
time. I mistakenly failed to include it in git-core when smart HTTP
was introduced. At the time I didn't know how to get the Content-Type
from libcurl. I punted, meant to circle back and fix this, and just
plain forgot about it.
Signed-off-by: Shawn Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'http-push.c')
| -rw-r--r-- | http-push.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/http-push.c b/http-push.c index 8701c1215d..ba45b7b501 100644 --- a/http-push.c +++ b/http-push.c @@ -1560,7 +1560,7 @@ static int remote_exists(const char *path) sprintf(url, "%s%s", repo->url, path); - switch (http_get_strbuf(url, NULL, 0)) { + switch (http_get_strbuf(url, NULL, NULL, 0)) { case HTTP_OK: ret = 1; break; @@ -1584,7 +1584,7 @@ static void fetch_symref(const char *path, char **symref, unsigned char *sha1) url = xmalloc(strlen(repo->url) + strlen(path) + 1); sprintf(url, "%s%s", repo->url, path); - if (http_get_strbuf(url, &buffer, 0) != HTTP_OK) + if (http_get_strbuf(url, NULL, &buffer, 0) != HTTP_OK) die("Couldn't get %s for remote symref\n%s", url, curl_errorstr); free(url); |