From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Jann Horn <jannh@google.com>
Subject: [PATCH 0/6] restricting http redirects
Date: Thu, 1 Dec 2016 04:03:37 -0500 [thread overview]
Message-ID: <20161201090336.xjbb47bublfcpglo@sigill.intra.peff.net> (raw)
Jann Horn brought up on the git-security list some interesting
social-engineering attacks around the way Git handles HTTP redirects.
These patches are my attempt to harden our redirect handling against
these attacks.
Out of the box, they should make it more obvious to the user when we are
redirecting, and avoid intermingling objects between multiple dumb-http
repositories. There's also a config flag (not on by default) to disable
redirects entirely if you're operating in a more paranoid environment.
The individual commits have more details on the attack scenarios.
I gave some thought to how this might interact with the
bw/transport-protocol-policy topic, which lets you distinguish between
"from the user" and "from some other system" when allowing protocols. I
think that topic is missing some bits when it comes to HTTP, which I
outlined elsewhere:
http://public-inbox.org/git/20161201083005.dui572o4jxsqacas@sigill.intra.peff.net/
I also wondered if the new http.followRedirects option in this series
could be replaced by just setting protocol.allow to "user". But it's
not quite the same:
1. That only covers setting http.followRedirects to "false". There is
a special value "initial", which allows redirects on the initial
ref advertisement (see patch 4 for details).
2. The http.* options can be applied on a per-server basis. So you
might allow a trusted server to redirect you, but not others. The
protocol config is less flexible in that regard (it's less about
"who are you contacting" and more about "what situation are you
in").
So I think it's fine for the two to co-exist. There's some small
overlap, but which is appropriate depends on what problem you're trying
to solve.
Thanks Jann for the initial report and for good discussion on the
security list.
[1/6]: http: simplify update_url_from_redirect
[2/6]: http: always update the base URL for redirects
[3/6]: remote-curl: rename shadowed options variable
[4/6]: http: make redirects more obvious
[5/6]: http: treat http-alternates like redirects
[6/6]: http-walker: complain about non-404 loose object errors
Documentation/config.txt | 10 +++++++
http-walker.c | 15 +++++++----
http.c | 56 ++++++++++++++++++++++++++++++---------
http.h | 10 ++++++-
remote-curl.c | 22 +++++++++-------
t/lib-httpd/apache.conf | 14 ++++++++++
t/t5550-http-fetch-dumb.sh | 61 +++++++++++++++++++++++++++++++++++++++++++
t/t5551-http-fetch-smart.sh | 4 +++
t/t5812-proto-disable-http.sh | 1 +
9 files changed, 165 insertions(+), 28 deletions(-)
next reply other threads:[~2016-12-01 9:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-01 9:03 Jeff King [this message]
2016-12-01 9:03 ` [PATCH 1/6] http: simplify update_url_from_redirect Jeff King
2016-12-01 9:04 ` [PATCH 2/6] http: always update the base URL for redirects Jeff King
2016-12-01 16:02 ` Ramsay Jones
2016-12-01 22:53 ` Brandon Williams
2016-12-01 23:12 ` Philip Oakley
2016-12-01 23:43 ` Junio C Hamano
2016-12-02 0:07 ` Ramsay Jones
2016-12-02 0:18 ` Jeff King
2016-12-02 1:21 ` Ramsay Jones
2016-12-01 9:04 ` [PATCH 3/6] remote-curl: rename shadowed options variable Jeff King
2016-12-01 9:04 ` [PATCH 4/6] http: make redirects more obvious Jeff King
2016-12-01 16:06 ` Ramsay Jones
2016-12-01 9:04 ` [PATCH 5/6] http: treat http-alternates like redirects Jeff King
2016-12-01 23:02 ` Brandon Williams
2016-12-02 0:06 ` Jeff King
2016-12-01 9:04 ` [PATCH 6/6] http-walker: complain about non-404 loose object errors Jeff King
2016-12-05 13:08 ` [PATCH 0/6] restricting http redirects Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161201090336.xjbb47bublfcpglo@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=jannh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).