From: Jonathan Nieder <jrnieder@gmail.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Jeff King <peff@peff.net>,
Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Ilya Tretyakov <it@it3xl.ru>
Subject: Re: [PATCH 0/3] credential: handle partial URLs in config settings again
Date: Wed, 22 Apr 2020 15:47:11 -0700 [thread overview]
Message-ID: <20200422224711.GC140314@google.com> (raw)
In-Reply-To: <nycvar.QRO.7.76.6.2004230019170.18039@tvgsbejvaqbjf.bet>
Hi,
Johannes Schindelin wrote:
> On Wed, 22 Apr 2020, Jeff King wrote:
>> On Wed, Apr 22, 2020 at 08:51:02PM +0000, Johannes Schindelin via GitGitGadget wrote:
>>> Please note that Git v2.17.4 will not do what we would expect here: if any
>>> host name (without protocol) is specified, e.g. -c
>>> credential.golli.wog.username = boo, it will actually ignore the host name.
>>> That is, this will populate the username:
>>>
>>> $ echo url=https://example.com |
>>> git -c credential.totally.bog.us.username=foo credential fill
>>
>> That seems scary. What if it is not .username, but:
>>
>> [credential "example.com"]
>> username = foo
>> helper = "!echo password=bar"
>>
>> ? (Or you can imagine a helper that is pulling from a read-only store,
>> like "pass"). That would send the credential to the wrong host.
>
> It would. But I am not aware of any implications regarding `.gitmodules`
> (for some reason I now expect every bug to open an attack vector via
> submodules, I wonder why that is), so that's at least good.
Submodules are only one of many ways that people end up cloning from
an attacker-controlled URL. In submodules we're careful not to use
--recurse-submodules by default at clone time. So I'll mentally
subsitute "attacker-controlled URLs" where you say "submodules". ;-)
I agree with Peff's concern about the unpatched state: since there are
people who use `[credential "host.example.com"] helper` and there are
credential helpers that ignore the host passed in, the combination can
hurt people. (Fortunately, there aren't many credential helpers in
that category that are commonly used.)
[...]
> Yes. For the record, I tried to be very careful here. The _only_ code path
> that is affected by this change is the config reading.
[...]
> But again, I would love another pair of eyes on this, to confirm my
> analysis.
As mentioned above, the config reading is sensitive, too. That said,
I suspect you got it to do basically the right thing.
Reading through the patches. Thank you.
Jonathan
next prev parent reply other threads:[~2020-04-22 22:48 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 20:51 [PATCH 0/3] credential: handle partial URLs in config settings again Johannes Schindelin via GitGitGadget
2020-04-22 20:51 ` [PATCH 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-22 23:29 ` Jonathan Nieder
2020-04-22 20:51 ` [PATCH 2/3] credential: teach `credential_from_url()` a non-strict mode Johannes Schindelin via GitGitGadget
2020-04-22 22:29 ` Junio C Hamano
2020-04-22 22:50 ` Johannes Schindelin
2020-04-22 23:02 ` Junio C Hamano
2020-04-22 23:38 ` Jonathan Nieder
2020-04-23 0:02 ` Carlo Arenas
2020-04-23 13:28 ` Johannes Schindelin
2020-04-23 21:22 ` Carlo Marcelo Arenas Belón
2020-04-23 22:03 ` Johannes Schindelin
2020-04-23 22:11 ` Junio C Hamano
2020-04-23 22:16 ` Junio C Hamano
2020-04-23 23:22 ` Johannes Schindelin
2020-04-23 22:50 ` Johannes Schindelin
2020-04-22 20:51 ` [PATCH 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-22 23:57 ` Jonathan Nieder
2020-04-23 23:19 ` Johannes Schindelin
2020-04-22 22:13 ` [PATCH 0/3] credential: handle partial URLs in config settings again Jeff King
2020-04-22 22:26 ` Johannes Schindelin
2020-04-22 22:47 ` Jonathan Nieder [this message]
2020-04-23 22:11 ` Johannes Schindelin
2020-04-23 23:43 ` [PATCH v2 " Johannes Schindelin via GitGitGadget
2020-04-23 23:43 ` [PATCH v2 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-23 23:43 ` [PATCH v2 2/3] credential: optionally allow partial URLs in credential_from_url_gently() Johannes Schindelin via GitGitGadget
2020-04-23 23:43 ` [PATCH v2 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-24 0:05 ` Carlo Marcelo Arenas Belón
2020-04-24 0:16 ` Johannes Schindelin
2020-04-24 0:39 ` Carlo Marcelo Arenas Belón
2020-04-24 11:34 ` Johannes Schindelin
2020-04-24 0:34 ` Junio C Hamano
2020-04-24 0:40 ` Junio C Hamano
2020-04-24 11:36 ` Johannes Schindelin
2020-04-24 0:49 ` [PATCH v2 0/3] credential: handle partial URLs in config settings again Carlo Marcelo Arenas Belón
2020-04-24 11:49 ` [PATCH v3 " Johannes Schindelin via GitGitGadget
2020-04-24 11:49 ` [PATCH v3 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-24 11:49 ` [PATCH v3 2/3] credential: optionally allow partial URLs in credential_from_url_gently() Johannes Schindelin via GitGitGadget
2020-04-24 11:49 ` [PATCH v3 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-24 15:23 ` Carlo Marcelo Arenas Belón
2020-04-25 10:43 ` Johannes Schindelin
2020-04-24 22:20 ` Junio C Hamano
2020-04-24 22:29 ` Johannes Schindelin
2020-04-28 23:13 ` Junio C Hamano
2020-04-29 14:58 ` Johannes Schindelin
2020-04-29 15:36 ` Junio C Hamano
2020-05-01 19:58 ` Johannes Schindelin
2020-05-01 20:01 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200422224711.GC140314@google.com \
--to=jrnieder@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=it@it3xl.ru \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).