git: use /bin/true for 'askpass' to prevent all password prompts

This uses both the env vars and the command line options to ensure that it works with as many versions of git as possible. Also, git-svn uses the env vars, but not necessarily the command line options. This uses /bin/true to pretend that it succesfully got the password. If password auth is truly required, then it will fail further on down the line.
2024-07-02 07:20:37 +02:00 · 2018-02-05 13:24:32 +01:00 · 2018-02-05 13:24:32 +01:00 · dd93ee6c9b
commit dd93ee6c9b
parent 574fa15fce
1 changed files with 18 additions and 3 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -815,6 +815,7 @@ class vcs_git(vcs):
        #
        # supported in git >= 2.3
        git_config = [
+            '-c', 'core.askpass=/bin/true',
            '-c', 'core.sshCommand=/bin/false',
            '-c', 'url.https://.insteadOf=ssh://',
        ]
@ -827,6 +828,8 @@ class vcs_git(vcs):
            git_config.append('url.https://u:p@' + domain + '.insteadOf=https://' + domain)
        envs.update({
            'GIT_TERMINAL_PROMPT': '0',
+            'GIT_ASKPASS': '/bin/true',
+            'SSH_ASKPASS': '/bin/true',
            'GIT_SSH': '/bin/false',  # for git < 2.3
        })
        return FDroidPopen(['git', ] + git_config + args,
@ -960,15 +963,27 @@ class vcs_gitsvn(vcs):

    def git(self, args, envs=dict(), cwd=None, output=True):
        '''Prevent git fetch/clone/submodule from hanging at the username/password prompt
+
+        AskPass is set to /bin/true to let the process try to connect
+        without a username/password.
+
+        The SSH command is set to /bin/false to block all SSH URLs
+        (supported in git >= 2.3).  This protects against
+        CVE-2017-1000117.
+
        '''
-        # CVE-2017-1000117 block all SSH URLs (supported in git >= 2.3)
-        config = ['-c', 'core.sshCommand=false']
+        git_config = [
+            '-c', 'core.askpass=/bin/true',
+            '-c', 'core.sshCommand=/bin/false',
+        ]
        envs.update({
            'GIT_TERMINAL_PROMPT': '0',
+            'GIT_ASKPASS': '/bin/true',
+            'SSH_ASKPASS': '/bin/true',
            'GIT_SSH': '/bin/false',  # for git < 2.3
            'SVN_SSH': '/bin/false',
        })
-        return FDroidPopen(['git', ] + config + args,
+        return FDroidPopen(['git', ] + git_config + args,
                           envs=envs, cwd=cwd, output=output)

    def gotorevisionx(self, rev):