From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by dcvr.yhbt.net (Postfix) with ESMTP id 6CD571F4B4 for ; Fri, 25 Sep 2020 06:50:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727101AbgIYGuY (ORCPT ); Fri, 25 Sep 2020 02:50:24 -0400 Received: from cloud.peff.net ([104.130.231.41]:40378 "EHLO cloud.peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727044AbgIYGuY (ORCPT ); Fri, 25 Sep 2020 02:50:24 -0400 Received: (qmail 13103 invoked by uid 109); 25 Sep 2020 06:50:24 -0000 Received: from Unknown (HELO peff.net) (10.0.1.2) by cloud.peff.net (qpsmtpd/0.94) with ESMTP; Fri, 25 Sep 2020 06:50:24 +0000 Authentication-Results: cloud.peff.net; auth=none Received: (qmail 15822 invoked by uid 111); 25 Sep 2020 06:50:26 -0000 Received: from coredump.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.2) by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Fri, 25 Sep 2020 02:50:26 -0400 Authentication-Results: peff.net; auth=none Date: Fri, 25 Sep 2020 02:50:23 -0400 From: Jeff King To: =?utf-8?B?w4Z2YXIgQXJuZmrDtnLDsA==?= Bjarmason Cc: git@vger.kernel.org, Junio C Hamano , Matthieu Moy , Johannes Schindelin , Antoine =?utf-8?Q?Beaupr=C3=A9?= , =?utf-8?B?xJBvw6BuIFRy4bqnbiBDw7RuZw==?= Danh , imon Legner , Eric Sunshine Subject: Re: [PATCH v2 00/18] remote-mediawiki: fix RCE issue, and the tests Message-ID: <20200925065023.GB3179383@coredump.intra.peff.net> References: <20200916102918.29805-1-avarab@gmail.com> <20200921104000.2304-1-avarab@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200921104000.2304-1-avarab@gmail.com> Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On Mon, Sep 21, 2020 at 12:39:42PM +0200, Ævar Arnfjörð Bjarmason wrote: > This series now has a fix for a remote code execution which previously > was only being discussed on the closed git-security list. Per > discussion there the issue is being made public. > > Basically, we expect that almost nobody is using this code in the > first place so there wasn't any interest in a point release, and there > wasn't any downstream interest in an embargo either. > > This v2 addresses (hopefully) all the public & git-security commends > on the v1s of this series. It all looks good to me, including the cleanup in the final commit. At that point we have no "unquoted" run_git helpers left, so possibly we could rename the "quoted" forms back to just "run_git" and "run_git_stderr", which are a little less verbose. But I don't care that much either way. Thanks again for fixing this. -Peff