From: Matt McCutchen <matt@mattmccutchen.net>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: Fetch/push lets a malicious server steal the targets of "have" lines
Date: Sat, 29 Oct 2016 12:08:31 -0400 [thread overview]
Message-ID: <1477757311.1524.21.camel@mattmccutchen.net> (raw)
In-Reply-To: <20161029133959.kpkohjkku3jgwjql@sigill.intra.peff.net>
On Sat, 2016-10-29 at 09:39 -0400, Jeff King wrote:
> I'm not sure I understand how connecting to a remote server to fetch is
> a big problem. The server may learn about the existence of particular
> sha1s in your repository, but cannot get their content.
>
> It's the subsequent push that is a problem.
>
> In the scenarios you've described, I'm mostly inclined to say that the
> problem is not git or the protocol itself, but rather lax refspecs.
> You mentioned earlier:
>
> the server can just generate another ref 'xx' pointing to Y2, assuming
> it can entice the victim to set up a corresponding local branch
> refs/heads/for-server1/xx and push it back. Or if the victim is for
> some reason just mirroring back and forth:
>
> This sounds a lot like "I told git to push a bunch of things without
> checking if they were really secret, and it turned out to push some
> secret things". IOW I think the problem is not that the server may lie
> about what it has, but that the user was not careful about what they
> pushed. I dunno. I do not mind making a note in the documentation
> explaining the implications of a server lying, but the scenarios seem
> pretty contrived to me.
Let's focus on the first scenario. There the user is just pulling and
pushing a master branch. Are you saying that each time the user pulls,
they need to look over all the commits they pulled before pushing them
back? I think that's unrealistic, for example, on a busy project with
centralized code review or if the user is publishing a project-specific
modified version of an upstream library. The natural user expectation
is that anything pulled from a public repository is public.
But let's see what Junio says in the other subthread.
> A much more interesting one, IMHO, is a server whose receive-pack lies
> about which objects it has (possibly ones it found out about earlier via
> fetch), which provokes the client to generate deltas against objects the
> server doesn't have (and thereby leaking information about the base
> objects).
>
> That is a problem no matter how careful your refspecs are. I suspect it
> would be a hard attack to pull off in practice, just because it's going
> to depend heavily on the content of the specific objects, what kinds of
> deltas you can convince the other side to generate, etc. That might
> merit a mention in the git-push documentation.
Sure, if I end up doing a patch, I'll include this.
Matt
next prev parent reply other threads:[~2016-10-29 16:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-28 21:39 Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-28 22:00 ` Junio C Hamano
2016-10-28 22:16 ` Matt McCutchen
2016-10-29 1:11 ` Junio C Hamano
2016-10-29 3:33 ` Matt McCutchen
2016-10-29 13:39 ` Jeff King
2016-10-29 16:08 ` Matt McCutchen [this message]
2016-10-29 19:10 ` Jeff King
2016-10-30 7:53 ` Junio C Hamano
2016-11-13 1:25 ` [PATCH] fetch/push: document that private data can be leaked Matt McCutchen
2016-11-14 2:57 ` Junio C Hamano
2016-11-14 18:28 ` Matt McCutchen
2016-11-14 18:20 ` [PATCH] doc: mention transfer data leaks in more places Matt McCutchen
2016-11-14 19:19 ` Junio C Hamano
2016-11-14 19:00 ` [PATCH] fetch/push: document that private data can be leaked Junio C Hamano
2016-11-14 19:07 ` Jeff King
2016-11-14 19:47 ` Junio C Hamano
2016-11-14 19:08 ` Matt McCutchen
[not found] ` <CAPc5daVOxmowdiTU3ScFv6c_BRVEJ+G92gx_AmmKnR-WxUKv-Q@mail.gmail.com>
2016-10-29 16:07 ` Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-30 8:03 ` Junio C Hamano
2016-11-13 2:10 ` Matt McCutchen
2016-10-29 17:38 ` Jon Loeliger
2016-10-30 8:16 ` Junio C Hamano
2016-11-13 2:44 ` Matt McCutchen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1477757311.1524.21.camel@mattmccutchen.net \
--to=matt@mattmccutchen.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).