Re: [PATCH 0/3] credential: handle partial URLs in config settings again

git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed

From: Jonathan Nieder <jrnieder@gmail.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Jeff King <peff@peff.net>,
	Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
	git@vger.kernel.org,
	"brian m. carlson" <sandals@crustytoothpaste.net>,
	Ilya Tretyakov <it@it3xl.ru>
Subject: Re: [PATCH 0/3] credential: handle partial URLs in config settings again
Date: Wed, 22 Apr 2020 15:47:11 -0700	[thread overview]
Message-ID: <20200422224711.GC140314@google.com> (raw)
In-Reply-To: <nycvar.QRO.7.76.6.2004230019170.18039@tvgsbejvaqbjf.bet>

Hi,

Johannes Schindelin wrote:
> On Wed, 22 Apr 2020, Jeff King wrote:
>> On Wed, Apr 22, 2020 at 08:51:02PM +0000, Johannes Schindelin via GitGitGadget wrote:

>>> Please note that Git v2.17.4 will not do what we would expect here: if any
>>> host name (without protocol) is specified, e.g. -c
>>> credential.golli.wog.username = boo, it will actually ignore the host name.
>>> That is, this will populate the username:
>>>
>>>   $ echo url=https://example.com |
>>>     git -c credential.totally.bog.us.username=foo credential fill
>>
>> That seems scary. What if it is not .username, but:
>>
>>   [credential "example.com"]
>>   username = foo
>>   helper = "!echo password=bar"
>>
>> ? (Or you can imagine a helper that is pulling from a read-only store,
>> like "pass"). That would send the credential to the wrong host.
>
> It would. But I am not aware of any implications regarding `.gitmodules`
> (for some reason I now expect every bug to open an attack vector via
> submodules, I wonder why that is), so that's at least good.

Submodules are only one of many ways that people end up cloning from
an attacker-controlled URL.  In submodules we're careful not to use
--recurse-submodules by default at clone time.  So I'll mentally
subsitute "attacker-controlled URLs" where you say "submodules". ;-)

I agree with Peff's concern about the unpatched state: since there are
people who use `[credential "host.example.com"] helper` and there are
credential helpers that ignore the host passed in, the combination can
hurt people.  (Fortunately, there aren't many credential helpers in
that category that are commonly used.)

[...]
> Yes. For the record, I tried to be very careful here. The _only_ code path
> that is affected by this change is the config reading.
[...]
> But again, I would love another pair of eyes on this, to confirm my
> analysis.

As mentioned above, the config reading is sensitive, too.  That said,
I suspect you got it to do basically the right thing.

Reading through the patches.  Thank you.

Jonathan

next prev parent reply	other threads:[~2020-04-22 22:48 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-22 20:51 [PATCH 0/3] credential: handle partial URLs in config settings again Johannes Schindelin via GitGitGadget
2020-04-22 20:51 ` [PATCH 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-22 23:29   ` Jonathan Nieder
2020-04-22 20:51 ` [PATCH 2/3] credential: teach `credential_from_url()` a non-strict mode Johannes Schindelin via GitGitGadget
2020-04-22 22:29   ` Junio C Hamano
2020-04-22 22:50     ` Johannes Schindelin
2020-04-22 23:02       ` Junio C Hamano
2020-04-22 23:38   ` Jonathan Nieder
2020-04-23  0:02     ` Carlo Arenas
2020-04-23 13:28       ` Johannes Schindelin
2020-04-23 21:22         ` Carlo Marcelo Arenas Belón
2020-04-23 22:03           ` Johannes Schindelin
2020-04-23 22:11             ` Junio C Hamano
2020-04-23 22:16               ` Junio C Hamano
2020-04-23 23:22                 ` Johannes Schindelin
2020-04-23 22:50     ` Johannes Schindelin
2020-04-22 20:51 ` [PATCH 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-22 23:57   ` Jonathan Nieder
2020-04-23 23:19     ` Johannes Schindelin
2020-04-22 22:13 ` [PATCH 0/3] credential: handle partial URLs in config settings again Jeff King
2020-04-22 22:26   ` Johannes Schindelin
2020-04-22 22:47     ` Jonathan Nieder [this message]
2020-04-23 22:11       ` Johannes Schindelin
2020-04-23 23:43 ` [PATCH v2 " Johannes Schindelin via GitGitGadget
2020-04-23 23:43   ` [PATCH v2 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-23 23:43   ` [PATCH v2 2/3] credential: optionally allow partial URLs in credential_from_url_gently() Johannes Schindelin via GitGitGadget
2020-04-23 23:43   ` [PATCH v2 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-24  0:05     ` Carlo Marcelo Arenas Belón
2020-04-24  0:16       ` Johannes Schindelin
2020-04-24  0:39         ` Carlo Marcelo Arenas Belón
2020-04-24 11:34           ` Johannes Schindelin
2020-04-24  0:34       ` Junio C Hamano
2020-04-24  0:40         ` Junio C Hamano
2020-04-24 11:36           ` Johannes Schindelin
2020-04-24  0:49   ` [PATCH v2 0/3] credential: handle partial URLs in config settings again Carlo Marcelo Arenas Belón
2020-04-24 11:49   ` [PATCH v3 " Johannes Schindelin via GitGitGadget
2020-04-24 11:49     ` [PATCH v3 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-24 11:49     ` [PATCH v3 2/3] credential: optionally allow partial URLs in credential_from_url_gently() Johannes Schindelin via GitGitGadget
2020-04-24 11:49     ` [PATCH v3 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-24 15:23       ` Carlo Marcelo Arenas Belón
2020-04-25 10:43         ` Johannes Schindelin
2020-04-24 22:20       ` Junio C Hamano
2020-04-24 22:29         ` Johannes Schindelin
2020-04-28 23:13           ` Junio C Hamano
2020-04-29 14:58             ` Johannes Schindelin
2020-04-29 15:36               ` Junio C Hamano
2020-05-01 19:58                 ` Johannes Schindelin
2020-05-01 20:01                   ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200422224711.GC140314@google.com \
    --to=jrnieder@gmail.com \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=git@vger.kernel.org \
    --cc=gitgitgadget@gmail.com \
    --cc=it@it3xl.ru \
    --cc=peff@peff.net \
    --cc=sandals@crustytoothpaste.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).