From 632da896fbc6593bfc8ca765d2a09201e3d4fc23 Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Sat, 12 Nov 2022 08:12:10 -0800 Subject: [PATCH] Fix git2 safe-directory disable --- src/bin/cargo/cli.rs | 2 +- src/bin/cargo/main.rs | 55 +++++++++++++++++++++++++------------------ 2 files changed, 33 insertions(+), 24 deletions(-) diff --git a/src/bin/cargo/cli.rs b/src/bin/cargo/cli.rs index c6b57910b031..3053854d4c7b 100644 --- a/src/bin/cargo/cli.rs +++ b/src/bin/cargo/cli.rs @@ -149,7 +149,7 @@ Run with 'cargo -Z [FLAG] [COMMAND]'", } }; config_configure(config, &expanded_args, subcommand_args, global_args)?; - super::init_git_transports(config); + super::init_git(config); execute_subcommand(config, cmd, subcommand_args) } diff --git a/src/bin/cargo/main.rs b/src/bin/cargo/main.rs index 70adebb9431c..aaac0d126101 100644 --- a/src/bin/cargo/main.rs +++ b/src/bin/cargo/main.rs @@ -246,6 +246,38 @@ fn search_directories(config: &Config) -> Vec { path_dirs } +/// Initialize libgit2. +fn init_git(config: &Config) { + // Disabling the owner validation in git can, in theory, lead to code execution + // vulnerabilities. However, libgit2 does not launch executables, which is the foundation of + // the original security issue. Meanwhile, issues with refusing to load git repos in + // `CARGO_HOME` for example will likely be very frustrating for users. So, we disable the + // validation. + // + // For further discussion of Cargo's current interactions with git, see + // + // https://github.com/rust-lang/rfcs/pull/3279 + // + // and in particular the subsection on "Git support". + // + // Note that we only disable this when Cargo is run as a binary. If Cargo is used as a library, + // this code won't be invoked. Instead, developers will need to explicitly disable the + // validation in their code. This is inconvenient, but won't accidentally open consuming + // applications up to security issues if they use git2 to open repositories elsewhere in their + // code. + unsafe { + git2::opts::set_verify_owner_validation(false) + .expect("set_verify_owner_validation should never fail"); + } + + init_git_transports(config); +} + +/// Configure libgit2 to use libcurl if necessary. +/// +/// If the user has a non-default network configuration, then libgit2 will be +/// configured to use libcurl instead of the built-in networking support so +/// that those configuration settings can be used. fn init_git_transports(config: &Config) { // Only use a custom transport if any HTTP options are specified, // such as proxies or custom certificate authorities. The custom @@ -274,27 +306,4 @@ fn init_git_transports(config: &Config) { unsafe { git2_curl::register(handle); } - - // Disabling the owner validation in git can, in theory, lead to code execution - // vulnerabilities. However, libgit2 does not launch executables, which is the foundation of - // the original security issue. Meanwhile, issues with refusing to load git repos in - // `CARGO_HOME` for example will likely be very frustrating for users. So, we disable the - // validation. - // - // For further discussion of Cargo's current interactions with git, see - // - // https://github.com/rust-lang/rfcs/pull/3279 - // - // and in particular the subsection on "Git support". - // - // Note that we only disable this when Cargo is run as a binary. If Cargo is used as a library, - // this code won't be invoked. Instead, developers will need to explicitly disable the - // validation in their code. This is inconvenient, but won't accidentally open consuming - // applications up to security issues if they use git2 to open repositories elsewhere in their - // code. - unsafe { - if git2::opts::set_verify_owner_validation(false).is_err() { - return; - } - } }