cgit/cache.c, branch ch/git-2-54A hyperfast web frontend for git repositories written in C.https://git.zx2c4.com/cgit/atom/cache.c?h=ch%2Fgit-2-542026-04-13T17:04:38Zcache: truncate lock file before filling2026-04-13T17:04:38ZJason A. DonenfeldJason@zx2c4.com2026-04-13T17:02:31Zurn:sha1:829eb0711305e8946fa2f4a1c57c43354f35e208
lock_slot() opens the lock file with O_RDWR|O_CREAT but without
O_TRUNC. If a previous cgit process was killed between lock_slot() and
unlock_slot() (e.g. by a CGI timeout or OOM), the stale lock file
remains on disk with the old content, and the kernel releases the fcntl
lock.
The next process to claim the same cache slot then opens this stale lock
file, acquires the fcntl lock, writes its key and generated content on
top of the old bytes. If the new response is shorter than what was
previously in the file, trailing bytes from the old response survive
beyond the end of the new content. fstat() in fill_slot() reports the
total file size (including the stale tail), and print_slot() faithfully
sends all of it -- producing a response that is the correct page
followed by a fragment of whatever previously occupied that lock file.
Fix this by truncating the lock file after acquiring the lock and before
writing the new key.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
cache: tolerate short writes in print_slot2022-12-19T15:13:58ZHristo Venevhristo@venev.name2022-05-07T17:07:00Zurn:sha1:852cb3b0e267dd2ddfd2eeef6275435098c606e7
sendfile() can return after a short read/write, so we may need to call
it more than once. As suggested in the manual page, we fall back to
read/write if sendfile fails with EINVAL or ENOSYS.
On the read/write path, use write_in_full which deals with short writes.
Signed-off-by: Hristo Venev <hristo@venev.name>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
git: update to v2.30.02020-12-29T11:29:42ZChristian Hessemail@eworm.de2020-12-28T22:27:13Zurn:sha1:cef27b670a66c9840bb6120260864e4b3a701dc2
Update to git version v2.30.0, this requires changes for these
upstream commits:
* 88894aaeeae92e8cb41143cc2e045f50289dc790
blame: simplify 'setup_scoreboard' interface
* 1fbfdf556f2abc708183caca53ae4e2881b46ae2
banned.h: mark non-reentrant gmtime, etc as banned
Signed-off-by: Christian Hesse <mail@eworm.de>
cache: close race window when unlocking slots2018-06-27T16:13:03ZJohn Keepingjohn@keeping.me.uk2018-06-20T05:29:14Zurn:sha1:b31e99887b17f513289fb11227b2484504e85b6c
We use POSIX advisory record locks to control access to cache slots, but
these have an unhelpful behaviour in that they are released when any
file descriptor referencing the file is closed by this process.
Mostly this is okay, since we know we won't be opening the lock file
anywhere else, but there is one place that it does matter: when we
restore stdout we dup2() over a file descriptor referring to the file,
thus closing that descriptor.
Since we restore stdout before unlocking the slot, this creates a window
during which the slot content can be overwritten. The fix is reasonably
straightforward: simply restore stdout after unlocking the slot, but the
diff is a bit bigger because this requires us to move the temporary
stdout FD into struct cache_slot.
Signed-off-by: John Keeping <john@keeping.me.uk>
Reviewed-by: Christian Hesse <mail@eworm.de>
global: spelling fixes2017-10-15T16:44:55ZVille Skyttäville.skytta@iki.fi2017-10-14T19:05:51Zurn:sha1:67d0f870506e3bc3703ae3cb2cb00e19691ce967
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
cache: flush stdio before restoring FDs2017-10-03T18:19:34ZJohn Keepingjohn@keeping.me.uk2017-04-24T18:38:34Zurn:sha1:3b485cc5422f800d142c7023295e82c0a1c10b19
As described in commit 2efb59e (ui-patch: Flush stdout after outputting
data, 2014-06-11), we need to ensure that stdout is flushed before
restoring the file descriptor when writing to the cache. It turns out
that it's not just ui-patch that is affected by this but also raw diff
which writes to stdout internally.
Let's avoid risking more places doing this by ensuring that stdout is
flushed after writing in fill_slot().
Signed-off-by: John Keeping <john@keeping.me.uk>
cache: don't check for match with no key2016-01-17T16:05:39ZJohn Keepingjohn@keeping.me.uk2016-01-16T11:03:07Zurn:sha1:33bc949a1e927e14479568518bd92e70998e25f8
We call open_slot() from cache_ls() without a key since we simply want
to read the path out of the header. Should the file happen to contain
an empty key then we end up calling memcmp() with NULL and a non-zero
length. Fix this by assigning slot->match only if a key is set, which
is always will be in the code paths where we use slot->match.
Coverity-id: 13807
Signed-off-by: John Keeping <john@keeping.me.uk>
cache: use size_t for string lengths2016-01-17T16:05:19ZJohn Keepingjohn@keeping.me.uk2016-01-16T11:03:06Zurn:sha1:3fbfced7401cfcbb8006a9a6ce4add6b37a41a55
Avoid integer truncation on 64-bit systems.
Coverity-id: 13864
Signed-off-by: John Keeping <john@keeping.me.uk>
cache: fix resource leak: close file handle before return2015-10-10T19:41:04ZChristian Hessemail@eworm.de2015-10-10T14:56:28Zurn:sha1:76dc7a3371e487fdc9de7b3b4c991fe370598f0e
Coverity-id: 13910
Signed-off-by: Christian Hesse <mail@eworm.de>
cache.c: fix header order2015-08-13T13:37:42ZJohn Keepingjohn@keeping.me.uk2015-08-13T11:14:17Zurn:sha1:43620cf6aa62decaf319d00c28297e3b87a4da78
git-compat-util.h may define values that affect how system headers are
interpreted, so move sys/sendfile.h after cgit.h (which includes
git-compat-util.h).
Signed-off-by: John Keeping <john@keeping.me.uk>