mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 08:12:40 +01:00
(stable) Warn users about remote code execution in older Git
Summary: Ref T10832. Raise a setup warning for out-of-date versions of `git`. Test Plan: {F1224632} Reviewers: chad Reviewed By: chad Maniphest Tasks: T10832 Differential Revision: https://secure.phabricator.com/D15745
This commit is contained in:
epriestley
parent
dfd6e50ec5
commit
f75b1cf562
1 changed files with 60 additions and 66 deletions
|
|
@ -102,15 +102,24 @@ final class PhabricatorBinariesSetupCheck extends PhabricatorSetupCheck {
|
||||||
$version = null;
|
$version = null;
|
||||||
switch ($vcs['versionControlSystem']) {
|
switch ($vcs['versionControlSystem']) {
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
|
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
|
||||||
$minimum_version = null;
|
$bad_versions = array(
|
||||||
$bad_versions = array();
|
'< 2.7.4' => pht(
|
||||||
|
'Prior to 2.7.4, Git contains two remote code execution '.
|
||||||
|
'vulnerabilities which allow an attacker to take control of a '.
|
||||||
|
'system by crafting a commit which affects very long paths, '.
|
||||||
|
'then pushing it or tricking a victim into fetching it. This '.
|
||||||
|
'is a severe security vulnerability.'),
|
||||||
|
);
|
||||||
list($err, $stdout, $stderr) = exec_manual('git --version');
|
list($err, $stdout, $stderr) = exec_manual('git --version');
|
||||||
$version = trim(substr($stdout, strlen('git version ')));
|
$version = trim(substr($stdout, strlen('git version ')));
|
||||||
break;
|
break;
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN:
|
case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN:
|
||||||
$minimum_version = '1.5';
|
|
||||||
$bad_versions = array(
|
$bad_versions = array(
|
||||||
'1.7.1' => pht(
|
// We need 1.5 for "--depth", see T7228.
|
||||||
|
'< 1.5' => pht(
|
||||||
|
'The minimum supported version of Subversion is 1.5, which '.
|
||||||
|
'was released in 2008.'),
|
||||||
|
'= 1.7.1' => pht(
|
||||||
'This version of Subversion has a bug where `%s` does not work '.
|
'This version of Subversion has a bug where `%s` does not work '.
|
||||||
'for files added in rN (Subversion issue #2873), fixed in 1.7.2.',
|
'for files added in rN (Subversion issue #2873), fixed in 1.7.2.',
|
||||||
'svn diff -c N'),
|
'svn diff -c N'),
|
||||||
|
|
@ -119,12 +128,15 @@ final class PhabricatorBinariesSetupCheck extends PhabricatorSetupCheck {
|
||||||
$version = trim($stdout);
|
$version = trim($stdout);
|
||||||
break;
|
break;
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
|
case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
|
||||||
$minimum_version = '1.9';
|
|
||||||
$bad_versions = array(
|
$bad_versions = array(
|
||||||
'2.1' => pht(
|
// We need 1.9 for HTTP cloning, see T3046.
|
||||||
|
'< 1.9' => pht(
|
||||||
|
'The minimum supported version of Mercurial is 1.9, which was '.
|
||||||
|
'released in 2011.'),
|
||||||
|
'= 2.1' => pht(
|
||||||
'This version of Mercurial returns a bad exit code '.
|
'This version of Mercurial returns a bad exit code '.
|
||||||
'after a successful pull.'),
|
'after a successful pull.'),
|
||||||
'2.2' => pht(
|
'= 2.2' => pht(
|
||||||
'This version of Mercurial has a significant memory leak, fixed '.
|
'This version of Mercurial has a significant memory leak, fixed '.
|
||||||
'in 2.2.1. Pushing fails with this version as well; see %s.',
|
'in 2.2.1. Pushing fails with this version as well; see %s.',
|
||||||
'T3046#54922'),
|
'T3046#54922'),
|
||||||
|
|
@ -136,20 +148,25 @@ final class PhabricatorBinariesSetupCheck extends PhabricatorSetupCheck {
|
||||||
if ($version === null) {
|
if ($version === null) {
|
||||||
$this->raiseUnknownVersionWarning($binary);
|
$this->raiseUnknownVersionWarning($binary);
|
||||||
} else {
|
} else {
|
||||||
if ($minimum_version &&
|
$version_details = array();
|
||||||
version_compare($version, $minimum_version, '<')) {
|
|
||||||
$this->raiseMinimumVersionWarning(
|
foreach ($bad_versions as $spec => $details) {
|
||||||
$binary,
|
list($operator, $bad_version) = explode(' ', $spec, 2);
|
||||||
$minimum_version,
|
$is_bad = version_compare($version, $bad_version, $operator);
|
||||||
$version);
|
if ($is_bad) {
|
||||||
|
$version_details[] = pht(
|
||||||
|
'(%s%s) %s',
|
||||||
|
$operator,
|
||||||
|
$bad_version,
|
||||||
|
$details);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach ($bad_versions as $bad_version => $details) {
|
if ($version_details) {
|
||||||
if ($bad_version === $version) {
|
$this->raiseBadVersionWarning(
|
||||||
$this->raiseBadVersionWarning(
|
$binary,
|
||||||
$binary,
|
$version,
|
||||||
$bad_version);
|
$version_details);
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -223,57 +240,34 @@ final class PhabricatorBinariesSetupCheck extends PhabricatorSetupCheck {
|
||||||
pht('Report this Issue to the Upstream'));
|
pht('Report this Issue to the Upstream'));
|
||||||
}
|
}
|
||||||
|
|
||||||
private function raiseMinimumVersionWarning(
|
private function raiseBadVersionWarning($binary, $version, array $problems) {
|
||||||
$binary,
|
$summary = pht(
|
||||||
$minimum_version,
|
'This server has a known bad version of "%s".',
|
||||||
$version) {
|
$binary);
|
||||||
|
|
||||||
switch ($binary) {
|
$message = array();
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
|
|
||||||
break;
|
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN:
|
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
|
|
||||||
$summary = pht(
|
|
||||||
"The '%s' binary is version %s and Phabricator requires version ".
|
|
||||||
"%s or higher.",
|
|
||||||
$binary,
|
|
||||||
$version,
|
|
||||||
$minimum_version);
|
|
||||||
$message = pht(
|
|
||||||
"Please upgrade the '%s' binary to a more modern version.",
|
|
||||||
$binary);
|
|
||||||
$this->newIssue('bin.'.$binary)
|
|
||||||
->setShortName(pht("Unsupported '%s' Version", $binary))
|
|
||||||
->setName(pht("Unsupported '%s' Version", $binary))
|
|
||||||
->setSummary($summary)
|
|
||||||
->setMessage($summary.' '.$message);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private function raiseBadVersionWarning($binary, $bad_version) {
|
$message[] = pht(
|
||||||
switch ($binary) {
|
'This server has a known bad version of "%s" installed ("%s"). This '.
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
|
'version is not supported, or contains important bugs or security '.
|
||||||
break;
|
'vulnerabilities which are fixed in a newer version.',
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN:
|
$binary,
|
||||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
|
$version);
|
||||||
$summary = pht(
|
|
||||||
"The '%s' binary is version %s which has bugs that break ".
|
|
||||||
"Phabricator.",
|
|
||||||
$binary,
|
|
||||||
$bad_version);
|
|
||||||
$message = pht(
|
|
||||||
"Please upgrade the '%s' binary to a more modern version.",
|
|
||||||
$binary);
|
|
||||||
$this->newIssue('bin.'.$binary)
|
|
||||||
->setShortName(pht("Unsupported '%s' Version", $binary))
|
|
||||||
->setName(pht("Unsupported '%s' Version", $binary))
|
|
||||||
->setSummary($summary)
|
|
||||||
->setMessage($summary.' '.$message);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
$message[] = pht('You should upgrade this software.');
|
||||||
|
|
||||||
|
$message[] = pht('The known issues with this old version are:');
|
||||||
|
|
||||||
|
foreach ($problems as $problem) {
|
||||||
|
$message[] = $problem;
|
||||||
|
}
|
||||||
|
|
||||||
|
$message = implode("\n\n", $message);
|
||||||
|
|
||||||
|
$this->newIssue("bin.{$binary}.bad-version")
|
||||||
|
->setName(pht('Unsupported/Insecure "%s" Version', $binary))
|
||||||
|
->setSummary($summary)
|
||||||
|
->setMessage($message);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue