From: "René Scharfe" <l.s.r@web.de>
To: Jeff King <peff@peff.net>
Cc: Git Mailing List <git@vger.kernel.org>,
Junio C Hamano <gitster@pobox.com>,
Stefan Sperling <stsp@stsp.name>,
Martin Koegler <martin.koegler@chello.at>
Subject: Re: [PATCH 1/2] tag: factor out get_tagged_oid()
Date: Fri, 6 Sep 2019 17:05:11 +0200 [thread overview]
Message-ID: <f44b7abc-cab1-0bd4-029a-1c84cf36ec7b@web.de> (raw)
In-Reply-To: <20190906071320.GA14343@sigill.intra.peff.net>
Am 06.09.19 um 09:13 schrieb Jeff King:
> On Thu, Sep 05, 2019 at 09:55:55PM +0200, René Scharfe wrote:
>
>> Add a function for accessing the ID of the object referenced by a tag
>> safely, i.e. without causing a segfault when encountering a broken tag
>> where ->tagged is NULL.
>
> This approach seems to pretty reasonable. As somebody who's been
> thinking about this, I'd be curious to hear your thoughts on:
>
> https://public-inbox.org/git/20190906065606.GC5122@sigill.intra.peff.net/
>
> which _in theory_ means tag->tagged would never be NULL (we'd catch it
> at the parsing stage and consider that an error). But we'd still
> potentially want to protect ourselves as you do here for code paths
> which don't necessarily check the parse result.
A tag referencing an unknown object sounds strange to me. I imagine we
might get such a thing when the referenced object is lost (broken repo)
or purpose-built from an attacker. Could such a tag still be used for
anything? Are there other possible causes? I suspect the answer to
both questions is "no", and then it makes sense to reject it as early
as possible.
But I may be missing something. In particular I'm confused by these
patches from February 2008, which seem to suggest that such tags should
not be reported in all cases, but sometimes just silently ignored:
9684afd967 revision.c: handle tag->tagged == NULL
cc36934791 process_tag: handle tag->tagged == NULL
24e8a3c946 deref_tag: handle tag->tagged = NULL
So is there perhaps a use case for them after all?
Leaving that aside: The parsed flag means we saw and checked the object
already. That is true also for broken objects. Clearing the flag can
cause the same error to be reported multiple times. How about setting
it at the start as before, but returning -1 from parse_tag_buffer() if
.parsed == 1 && .tagged == NULL?
René
next prev parent reply other threads:[~2019-09-06 15:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-05 19:55 [PATCH 1/2] tag: factor out get_tagged_oid() René Scharfe
2019-09-05 19:59 ` [PATCH 2/2] use get_tagged_oid() René Scharfe
2019-09-06 7:13 ` [PATCH 1/2] tag: factor out get_tagged_oid() Jeff King
2019-09-06 15:05 ` René Scharfe [this message]
2019-09-06 15:25 ` René Scharfe
2019-09-06 17:51 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f44b7abc-cab1-0bd4-029a-1c84cf36ec7b@web.de \
--to=l.s.r@web.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=martin.koegler@chello.at \
--cc=peff@peff.net \
--cc=stsp@stsp.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).