git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Jann Horn <jannh@google.com>
Subject: Re: [PATCH 0/6] restricting http redirects
Date: Mon, 5 Dec 2016 08:08:28 -0500	[thread overview]
Message-ID: <20161205130828.3yk2y6yschthoyx6@sigill.intra.peff.net> (raw)
In-Reply-To: <20161201090336.xjbb47bublfcpglo@sigill.intra.peff.net>

On Thu, Dec 01, 2016 at 04:03:37AM -0500, Jeff King wrote:

> Jann Horn brought up on the git-security list some interesting
> social-engineering attacks around the way Git handles HTTP redirects.
> These patches are my attempt to harden our redirect handling against
> these attacks.

There's one other possible attack I thought of while discussing [1],
that is worth mentioning.

We limited the number of http redirects in b25811646 (http: limit
redirection depth, 2015-09-22). But what about http-alternates? Could
you redirect to yourself via http-alternates and convince a client to
loop infinitely?

It looks like no, because we do not seem to handle recursive
alternates at all in the http walker. Which means that repositories with
recursive local alternates cannot be fetched over dumb-http. But it also
means that we don't have to worry about limiting the recursion depth.

-Peff

[1] http://public-inbox.org/git/fe33de5b5f0b3da68b249cc4a49a6d7@3c843fe6ba8f3c586a21345a2783aa0/

      parent reply	other threads:[~2016-12-05 13:08 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-01  9:03 [PATCH 0/6] restricting http redirects Jeff King
2016-12-01  9:03 ` [PATCH 1/6] http: simplify update_url_from_redirect Jeff King
2016-12-01  9:04 ` [PATCH 2/6] http: always update the base URL for redirects Jeff King
2016-12-01 16:02   ` Ramsay Jones
2016-12-01 22:53     ` Brandon Williams
2016-12-01 23:12       ` Philip Oakley
2016-12-01 23:43         ` Junio C Hamano
2016-12-02  0:07           ` Ramsay Jones
2016-12-02  0:18             ` Jeff King
2016-12-02  1:21               ` Ramsay Jones
2016-12-01  9:04 ` [PATCH 3/6] remote-curl: rename shadowed options variable Jeff King
2016-12-01  9:04 ` [PATCH 4/6] http: make redirects more obvious Jeff King
2016-12-01 16:06   ` Ramsay Jones
2016-12-01  9:04 ` [PATCH 5/6] http: treat http-alternates like redirects Jeff King
2016-12-01 23:02   ` Brandon Williams
2016-12-02  0:06     ` Jeff King
2016-12-01  9:04 ` [PATCH 6/6] http-walker: complain about non-404 loose object errors Jeff King
2016-12-05 13:08 ` Jeff King [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161205130828.3yk2y6yschthoyx6@sigill.intra.peff.net \
    --to=peff@peff.net \
    --cc=git@vger.kernel.org \
    --cc=jannh@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).