From: Jonathan Nieder <jrnieder@gmail.com>
To: "Carlo Marcelo Arenas Belón" <carenas@gmail.com>
Cc: git@vger.kernel.org, peff@peff.net
Subject: Re: [PATCH] osxkeychain: restrict queries to requests with a valid host
Date: Mon, 20 Apr 2020 23:15:56 -0700 [thread overview]
Message-ID: <20200421061556.GD96152@google.com> (raw)
In-Reply-To: <20200420224310.9989-1-carenas@gmail.com>
Hi!
Carlo Marcelo Arenas Belón wrote:
> make sure that requests to this helper to get credentials return early if
> there is no host ord the host is empty.
>
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
> contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++
> 1 file changed, 6 insertions(+)
We had mentioned while preparing v2.26.2 that after that release
hardening the git side of the credential helper protocol, we should
harden the helper side. Thanks for getting it started.
[...]
> diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> index bcd3f575a3..2264a88c41 100644
> --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> @@ -69,6 +69,12 @@ static void find_internet_password(void)
> UInt32 len;
> SecKeychainItemRef item;
>
> + /*
> + * Require at valid host to fix CVE-2020-11008
> + */
> + if (!host || !*host)
> + return;
While we're here, is there any validation we should do for any of the
other parameters to SecKeychainFindInternetPassword (username, path,
port, protocol)?
Also, should we check for duplicate fields as in CVE-2020-5260?
> +
> if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
> return;
Thanks,
Jonathan
next prev parent reply other threads:[~2020-04-21 6:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-20 22:43 [PATCH] osxkeychain: restrict queries to requests with a valid host Carlo Marcelo Arenas Belón
2020-04-20 23:09 ` Junio C Hamano
2020-04-20 23:20 ` Carlo Arenas
2020-04-21 1:44 ` Junio C Hamano
2020-04-21 6:15 ` Jonathan Nieder [this message]
2024-04-22 19:48 ` Calvin Wan
2024-04-23 21:39 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200421061556.GD96152@google.com \
--to=jrnieder@gmail.com \
--cc=carenas@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).