From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Junio C Hamano" <gitster@pobox.com>,
"Git Mailing List" <git@vger.kernel.org>,
"Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>
Subject: Re: PCRE v2 compile error, was Re: What's cooking in git.git (May 2017, #01; Mon, 1)
Date: Tue, 9 May 2017 12:40:40 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.21.1.1705091234210.146734@virtualbox> (raw)
In-Reply-To: <20170509003714.ylwn5ezvu5h36kj7@genre.crustytoothpaste.net>
[-- Attachment #1: Type: text/plain, Size: 2164 bytes --]
Hi,
On Tue, 9 May 2017, brian m. carlson wrote:
> On Tue, May 09, 2017 at 02:00:18AM +0200, Ævar Arnfjörð Bjarmason wrote:
> > On Tue, May 9, 2017 at 1:32 AM, brian m. carlson
> > <sandals@crustytoothpaste.net> wrote:
> > > PCRE and PCRE2 also tend to have a lot of security updates, so I
> > > would prefer if we didn't import them into the tree. It is far
> > > better for users to use their distro's packages for PCRE, as it
> > > means they get automatic security updates even if they're using an
> > > old Git.
> > >
> > > We shouldn't consider shipping anything with a remotely frequent
> > > history of security updates in our tree, since people very
> > > frequently run old or ancient versions of Git.
> >
> > I'm aware of its security record[1], but I wonder what threat model
> > you have in mind here. I'm not aware of any parts of git (except maybe
> > gitweb?) where we take regexes from untrusted sources.
> >
> > I.e. yes there have been DoS's & even some overflow bugs leading code
> > execution in PCRE, but in the context of powering git-grep & git-log
> > with PCRE this falls into the "stop hitting yourself" category.
>
> Just because you don't drive Git with untrusted regexes doesn't mean
> other people don't.
Or other applications.
> It's not a good idea to require a stronger security model than we
> absolutely have to, since people can and will violate it. Think how
> devastating Shellshock was even though technically nobody should provide
> insecure environment variables to the shell.
>
> And, yes, gitweb does in fact call git grep. That means that git grep
> must in fact be secure against untrusted regexes, or you have a remote
> code execution vulnerability.
And not only grep is affected. Think HEAD^{/<regex>}. There are plenty of
sites where you are allowed to specify revs in a freer form than SHA-1s.
Having said that, I do like the prospect of a faster git grep.
Hopefully there will be a way to make use of PCRE that can be switched
off? Like, a compile-time replacement of the regex API backed by PCRE v2
*iff* PCRE v2 is used for building?
Ciao,
Dscho
next prev parent reply other threads:[~2017-05-09 10:41 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 5:35 What's cooking in git.git (May 2017, #01; Mon, 1) Junio C Hamano
2017-05-01 14:25 ` Ævar Arnfjörð Bjarmason
2017-05-01 16:21 ` Brandon Williams
2017-05-01 17:44 ` Ævar Arnfjörð Bjarmason
2017-05-01 19:29 ` Jeff King
2017-05-01 23:21 ` Junio C Hamano
2017-05-02 8:23 ` Ævar Arnfjörð Bjarmason
2017-05-02 9:35 ` Junio C Hamano
2017-05-02 12:31 ` Ævar Arnfjörð Bjarmason
2017-05-02 11:11 ` Johannes Schindelin
2017-05-02 12:09 ` PCRE v2 compile error, was " Johannes Schindelin
2017-05-02 12:27 ` Ævar Arnfjörð Bjarmason
2017-05-02 16:05 ` Johannes Schindelin
2017-05-02 18:52 ` Ævar Arnfjörð Bjarmason
2017-05-02 20:51 ` Kevin Daudt
2017-05-02 21:16 ` Ævar Arnfjörð Bjarmason
2017-05-03 9:45 ` Johannes Schindelin
2017-05-03 11:15 ` Duy Nguyen
2017-05-03 15:10 ` Ævar Arnfjörð Bjarmason
2017-05-04 9:11 ` Johannes Schindelin
2017-05-04 10:24 ` Ævar Arnfjörð Bjarmason
2017-05-04 11:32 ` Johannes Schindelin
2017-05-04 11:53 ` Ævar Arnfjörð Bjarmason
2017-05-08 6:30 ` Ævar Arnfjörð Bjarmason
2017-05-08 7:10 ` Junio C Hamano
2017-05-08 23:32 ` brian m. carlson
2017-05-09 0:00 ` Ævar Arnfjörð Bjarmason
2017-05-09 0:37 ` brian m. carlson
2017-05-09 10:40 ` Johannes Schindelin [this message]
2017-05-09 11:29 ` Ævar Arnfjörð Bjarmason
2017-05-09 11:12 ` Ævar Arnfjörð Bjarmason
2017-05-09 14:22 ` demerphq
2017-05-09 14:46 ` Ævar Arnfjörð Bjarmason
2017-05-02 17:43 ` Brandon Williams
2017-05-02 17:49 ` Ævar Arnfjörð Bjarmason
2017-05-05 1:12 ` Ramsay Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.21.1.1705091234210.146734@virtualbox \
--to=johannes.schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=pclouds@gmail.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).