From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Subject: [PATCH 0/2] sanitizing error message contents
Date: Wed, 11 Jan 2017 09:01:39 -0500 [thread overview]
Message-ID: <20170111140138.5p647xuqpqrej63b@sigill.intra.peff.net> (raw)
When adding a warning() call in 50d341374 (http: make redirects more
obvious, 2016-12-06), somebody brought up that evil servers can redirect
you to something like:
https://evil.example.com/some/repo?unused=\rwarning:+rainbows+and_unicorns_ahead
(where "\r" is a literal CR), and instead of seeing:
warning: redirecting to https://evil.example.com/...
you just get:
warning: rainbows and unicorns ahead
or whatever innocuous looking line they prefer (probably just ANSI
"clear to beginning of line" would be even more effective).
Since it's hard to figure out which error messages could potentially
contain malicious contents, and since spewing control characters to the
terminal is generally bad anyway, this series sanitizes at the lowest
level.
Note that this doesn't cover "remote:" lines coming over the sideband.
Those are already covered for "\r", as we have to parse it to handle
printing "remote:" consistently. But you can play tricks like putting:
printf '\0331K\033[0Efatal: this looks local\n'
into a pre-receive hook. I'm not sure if we would want to do more
sanitizing there. The goal of this series is not so much that a remote
can't send funny strings that may look local, but that they can't
prevent local strings from being displayed. OTOH, I suspect clever use
of ANSI codes (moving the cursor, clearing lines, etc) could get you
pretty far.
I'd be hesitant to disallow control codes entirely, though, as I suspect
some servers do send colors over the sideband. So I punted on that here,
but I think this is at least an incremental improvement.
[1/2]: Revert "vreportf: avoid intermediate buffer"
[2/2]: vreport: sanitize ASCII control chars
usage.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
-Peff
next reply other threads:[~2017-01-11 14:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-11 14:01 Jeff King [this message]
2017-01-11 14:02 ` [PATCH 1/2] Revert "vreportf: avoid intermediate buffer" Jeff King
2017-01-11 14:02 ` [PATCH 2/2] vreport: sanitize ASCII control chars Jeff King
2017-01-11 14:07 ` [RFC PATCH 3/2] vreportf: add prefix to each line Jeff King
2017-01-11 22:11 ` Junio C Hamano
2017-01-12 6:59 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170111140138.5p647xuqpqrej63b@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).