Warn users about remote code execution in older Git

+60 -66

1 changed file

expand all

src

applications

config

check

PhabricatorBinariesSetupCheck.php

+60 -66

src/applications/config/check/PhabricatorBinariesSetupCheck.php

··· 102 102 $version = null; 103 103 switch ($vcs['versionControlSystem']) { 104 104 case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT: 105 - $minimum_version = null; 106 - $bad_versions = array(); 105 + $bad_versions = array( 106 + '< 2.7.4' => pht( 107 + 'Prior to 2.7.4, Git contains two remote code execution '. 108 + 'vulnerabilities which allow an attacker to take control of a '. 109 + 'system by crafting a commit which affects very long paths, '. 110 + 'then pushing it or tricking a victim into fetching it. This '. 111 + 'is a severe security vulnerability.'), 112 + ); 107 113 list($err, $stdout, $stderr) = exec_manual('git --version'); 108 114 $version = trim(substr($stdout, strlen('git version '))); 109 115 break; 110 116 case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN: 111 - $minimum_version = '1.5'; 112 117 $bad_versions = array( 113 - '1.7.1' => pht( 118 + // We need 1.5 for "--depth", see T7228. 119 + '< 1.5' => pht( 120 + 'The minimum supported version of Subversion is 1.5, which '. 121 + 'was released in 2008.'), 122 + '= 1.7.1' => pht( 114 123 'This version of Subversion has a bug where `%s` does not work '. 115 124 'for files added in rN (Subversion issue #2873), fixed in 1.7.2.', 116 125 'svn diff -c N'), ··· 119 128 $version = trim($stdout); 120 129 break; 121 130 case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL: 122 - $minimum_version = '1.9'; 123 131 $bad_versions = array( 124 - '2.1' => pht( 132 + // We need 1.9 for HTTP cloning, see T3046. 133 + '< 1.9' => pht( 134 + 'The minimum supported version of Mercurial is 1.9, which was '. 135 + 'released in 2011.'), 136 + '= 2.1' => pht( 125 137 'This version of Mercurial returns a bad exit code '. 126 138 'after a successful pull.'), 127 - '2.2' => pht( 139 + '= 2.2' => pht( 128 140 'This version of Mercurial has a significant memory leak, fixed '. 129 141 'in 2.2.1. Pushing fails with this version as well; see %s.', 130 142 'T3046#54922'), ··· 136 148 if ($version === null) { 137 149 $this->raiseUnknownVersionWarning($binary); 138 150 } else { 139 - if ($minimum_version && 140 - version_compare($version, $minimum_version, '<')) { 141 - $this->raiseMinimumVersionWarning( 142 - $binary, 143 - $minimum_version, 144 - $version); 151 + $version_details = array(); 152 + 153 + foreach ($bad_versions as $spec => $details) { 154 + list($operator, $bad_version) = explode(' ', $spec, 2); 155 + $is_bad = version_compare($version, $bad_version, $operator); 156 + if ($is_bad) { 157 + $version_details[] = pht( 158 + '(%s%s) %s', 159 + $operator, 160 + $bad_version, 161 + $details); 162 + } 145 163 } 146 164 147 - foreach ($bad_versions as $bad_version => $details) { 148 - if ($bad_version === $version) { 149 - $this->raiseBadVersionWarning( 150 - $binary, 151 - $bad_version); 152 - } 165 + if ($version_details) { 166 + $this->raiseBadVersionWarning( 167 + $binary, 168 + $version, 169 + $version_details); 153 170 } 154 171 } 155 172 } ··· 223 240 pht('Report this Issue to the Upstream')); 224 241 } 225 242 226 - private function raiseMinimumVersionWarning( 227 - $binary, 228 - $minimum_version, 229 - $version) { 243 + private function raiseBadVersionWarning($binary, $version, array $problems) { 244 + $summary = pht( 245 + 'This server has a known bad version of "%s".', 246 + $binary); 230 247 231 - switch ($binary) { 232 - case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT: 233 - break; 234 - case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN: 235 - case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL: 236 - $summary = pht( 237 - "The '%s' binary is version %s and Phabricator requires version ". 238 - "%s or higher.", 239 - $binary, 240 - $version, 241 - $minimum_version); 242 - $message = pht( 243 - "Please upgrade the '%s' binary to a more modern version.", 244 - $binary); 245 - $this->newIssue('bin.'.$binary) 246 - ->setShortName(pht("Unsupported '%s' Version", $binary)) 247 - ->setName(pht("Unsupported '%s' Version", $binary)) 248 - ->setSummary($summary) 249 - ->setMessage($summary.' '.$message); 250 - break; 251 - } 252 - } 248 + $message = array(); 249 + 250 + $message[] = pht( 251 + 'This server has a known bad version of "%s" installed ("%s"). This '. 252 + 'version is not supported, or contains important bugs or security '. 253 + 'vulnerabilities which are fixed in a newer version.', 254 + $binary, 255 + $version); 256 + 257 + $message[] = pht('You should upgrade this software.'); 258 + 259 + $message[] = pht('The known issues with this old version are:'); 253 260 254 - private function raiseBadVersionWarning($binary, $bad_version) { 255 - switch ($binary) { 256 - case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT: 257 - break; 258 - case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN: 259 - case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL: 260 - $summary = pht( 261 - "The '%s' binary is version %s which has bugs that break ". 262 - "Phabricator.", 263 - $binary, 264 - $bad_version); 265 - $message = pht( 266 - "Please upgrade the '%s' binary to a more modern version.", 267 - $binary); 268 - $this->newIssue('bin.'.$binary) 269 - ->setShortName(pht("Unsupported '%s' Version", $binary)) 270 - ->setName(pht("Unsupported '%s' Version", $binary)) 271 - ->setSummary($summary) 272 - ->setMessage($summary.' '.$message); 273 - break; 274 - } 261 + foreach ($problems as $problem) { 262 + $message[] = $problem; 263 + } 275 264 265 + $message = implode("\n\n", $message); 276 266 267 + $this->newIssue("bin.{$binary}.bad-version") 268 + ->setName(pht('Unsupported/Insecure "%s" Version', $binary)) 269 + ->setSummary($summary) 270 + ->setMessage($message); 277 271 } 278 272 279 273 }

Configure Feed

Configure Feed