[PATCH 0/6] restricting http redirects

[Jeff King <peff@peff.net>]

Jann Horn brought up on the git-security list some interesting
social-engineering attacks around the way Git handles HTTP redirects.
These patches are my attempt to harden our redirect handling against
these attacks.

Out of the box, they should make it more obvious to the user when we are
redirecting, and avoid intermingling objects between multiple dumb-http
repositories. There's also a config flag (not on by default) to disable
redirects entirely if you're operating in a more paranoid environment.

The individual commits have more details on the attack scenarios.

I gave some thought to how this might interact with the
bw/transport-protocol-policy topic, which lets you distinguish between
"from the user" and "from some other system" when allowing protocols. I
think that topic is missing some bits when it comes to HTTP, which I
outlined elsewhere:

  http://public-inbox.org/git/20161201083005.dui572o4jxsqacas@sigill.intra.peff.net/

I also wondered if the new http.followRedirects option in this series
could be replaced by just setting protocol.allow to "user".  But it's
not quite the same:

  1. That only covers setting http.followRedirects to "false". There is
     a special value "initial", which allows redirects on the initial
     ref advertisement (see patch 4 for details).

  2. The http.* options can be applied on a per-server basis. So you
     might allow a trusted server to redirect you, but not others. The
     protocol config is less flexible in that regard (it's less about
     "who are you contacting" and more about "what situation are you
     in").

So I think it's fine for the two to co-exist. There's some small
overlap, but which is appropriate depends on what problem you're trying
to solve.

Thanks Jann for the initial report and for good discussion on the
security list.

  [1/6]: http: simplify update_url_from_redirect
  [2/6]: http: always update the base URL for redirects
  [3/6]: remote-curl: rename shadowed options variable
  [4/6]: http: make redirects more obvious
  [5/6]: http: treat http-alternates like redirects
  [6/6]: http-walker: complain about non-404 loose object errors

 Documentation/config.txt      | 10 +++++++
 http-walker.c                 | 15 +++++++----
 http.c                        | 56 ++++++++++++++++++++++++++++++---------
 http.h                        | 10 ++++++-
 remote-curl.c                 | 22 +++++++++-------
 t/lib-httpd/apache.conf       | 14 ++++++++++
 t/t5550-http-fetch-dumb.sh    | 61 +++++++++++++++++++++++++++++++++++++++++++
 t/t5551-http-fetch-smart.sh   |  4 +++
 t/t5812-proto-disable-http.sh |  1 +
 9 files changed, 165 insertions(+), 28 deletions(-)