From: Stefan Beller <sbeller@google.com>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>,
Jonathan Nieder <jrnieder@gmail.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Eric Wong <e@80x24.org>, Dan Wang <dwwang@google.com>,
Dennis Kaarsemaker <dennis@kaarsemaker.net>
Subject: Re: [PATCH 2/4] receive-pack: implement advertising and receiving push options
Date: Fri, 8 Jul 2016 15:17:13 -0700 [thread overview]
Message-ID: <CAGZ79kZOdcJwd0ePMquhfJTv=xZGP_+w4BRV=GyTy3ejb79yrQ@mail.gmail.com> (raw)
In-Reply-To: <20160708214637.GB9820@sigill.intra.peff.net>
On Fri, Jul 8, 2016 at 2:46 PM, Jeff King <peff@peff.net> wrote:
> On Fri, Jul 08, 2016 at 11:57:20AM -0700, Stefan Beller wrote:
>
>> >> Sorry to butt into the conversation late, but: I am not yet convinced.
>> >>
>> >> Is the idea that if the push options were very large, this would save
>> >> the client from the cost of sending them?
>> >
>> > Not really. I have no strong opinion on the benefit of limiting
>> > number/size. Stefan limited the number/size at the receiving end
>> > and made receiving end die with its message.
>>
>> Jeff claimed we'd need some sort of DoS protection for this feature,
>> so I considered just die-ing enough for an initial implementation.
>
> I do not think we need to worry too much about niceties for these
> limits. The point is to protect servers from malicious nonsense, like
> somebody sending gigabytes of push options, or trying to overflow a
> buffer in a hook with a large value.
Agreed. This would speak for keeping the implementation as is.
>If people are seeing these in
> routine use, then the limits are set too low, and this should happen
> roughly as often as a BUG assertion, and IMHO should be treated roughly
> the same: don't bother with translation, and don't worry about
> optimizing wasted bandwidth for this case. It won't happen enough to
> matter.
Well the wasted band width is part of the server protection, no?
This would favor the idea Jonathan came up with:
server: I advertise push options
client: ok I want to use push options
client: I'll send you 1000 push options with upper bound of 1000M
server: It's a bit too much, eh?
* server quits
So this case only occurs for the (malicious?) corner case, where I
do not bother a translation.
But having the size announcement not in
the capability advertisement, but in the actual push options phase makes
sense to me as we do not want to clutter the capabilities with data that can
come later. We would only waste a little bit of band width, (the
initial ls-remote
and command list of the client).
Speaking of this, I can craft a malicious client that sends the
following command list
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
refs/heads/loooooooooooooooooong-ref
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
refs/heads/loooooooooooooooooong-ref
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
refs/heads/loooooooooooooooooong-ref
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
refs/heads/loooooooooooooooooong-ref
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
refs/heads/loooooooooooooooooong-ref
<repeat the above a few times>
0000
IIUC in the receive-pack code we would queue that up and the error checking
(two times null sha1? update of the same ref more than once?), is
done just after we send out the flush packet, i.e. when all commands
are received.
This would also result in sending gigabytes of junk as well as a
memory issue on the server
side?
The new push options design is actually neat in the way that the
client exactly says what it wants
and the server can reject early, but not cluttering the capability
advertisement.
Thanks,
Stefan
next prev parent reply other threads:[~2016-07-08 22:17 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 1:12 [PATCHv3 0/4] Push options in C Git Stefan Beller
2016-07-07 1:12 ` [PATCH 1/4] push options: {pre,post}-receive hook learns about push options Stefan Beller
2016-07-07 20:20 ` Junio C Hamano
2016-07-07 21:50 ` Stefan Beller
2016-07-07 21:53 ` Junio C Hamano
2016-07-07 1:12 ` [PATCH 2/4] receive-pack: implement advertising and receiving " Stefan Beller
2016-07-07 20:37 ` Junio C Hamano
2016-07-07 21:41 ` Stefan Beller
2016-07-07 21:56 ` Jeff King
2016-07-07 22:06 ` Stefan Beller
2016-07-07 22:09 ` Jeff King
2016-07-07 22:06 ` Junio C Hamano
2016-07-08 17:58 ` Jonathan Nieder
2016-07-08 18:39 ` Junio C Hamano
2016-07-08 18:57 ` Stefan Beller
2016-07-08 21:46 ` Jeff King
2016-07-08 22:17 ` Stefan Beller [this message]
2016-07-08 22:21 ` Jeff King
2016-07-08 22:29 ` Stefan Beller
2016-07-08 22:35 ` Jeff King
2016-07-08 22:43 ` Stefan Beller
2016-07-08 22:46 ` Jeff King
2016-07-08 22:51 ` Stefan Beller
2016-07-07 1:12 ` [PATCH 3/4] push: accept " Stefan Beller
2016-07-07 20:52 ` Junio C Hamano
2016-07-08 22:59 ` Stefan Beller
2016-07-11 18:42 ` Junio C Hamano
2016-07-07 1:12 ` [PATCH 4/4] add a test for " Stefan Beller
2016-07-07 19:51 ` Junio C Hamano
2016-07-07 20:01 ` Junio C Hamano
2016-07-07 21:51 ` Stefan Beller
-- strict thread matches above, loose matches on Subject: below --
2016-07-14 21:49 [PATCHv7 0/4] Push options Stefan Beller
2016-07-14 21:49 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-14 17:39 [PATCHv5 0/4] Push options Stefan Beller
2016-07-14 17:39 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-14 18:38 ` Junio C Hamano
2016-07-14 19:00 ` Stefan Beller
2016-07-14 19:07 ` Junio C Hamano
2016-07-14 19:45 ` Jeff King
2016-07-14 20:07 ` Junio C Hamano
2016-07-09 0:31 [PATCHv4 0/4] Push options Stefan Beller
2016-07-09 0:31 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-10 17:06 ` Shawn Pearce
2016-07-10 18:05 ` Stefan Beller
2016-07-12 4:53 ` Shawn Pearce
2016-07-12 5:24 ` Jeff King
2016-06-30 0:59 [RFC PATCHv1 0/4] Push options in C Git Stefan Beller
2016-06-30 0:59 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-01 17:11 ` Junio C Hamano
2016-07-01 17:24 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGZ79kZOdcJwd0ePMquhfJTv=xZGP_+w4BRV=GyTy3ejb79yrQ@mail.gmail.com' \
--to=sbeller@google.com \
--cc=dennis@kaarsemaker.net \
--cc=dwwang@google.com \
--cc=e@80x24.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).