From: Stefan Beller <sbeller@google.com>
To: Javantea <jvoss@altsci.com>, Junio C Hamano <gitster@pobox.com>
Cc: "git@vger.kernel.org" <git@vger.kernel.org>, aneesh.kumar@gmail.com
Subject: Re: Gitview Shell Injection Vulnerability
Date: Tue, 27 Dec 2016 10:45:58 -0800 [thread overview]
Message-ID: <CAGZ79kbOjpi4SBLPVaKXJ+L8VN+0N=ZqgDcHeYydkKsS20yR1Q@mail.gmail.com> (raw)
In-Reply-To: <20161227082922.8B7A813893D@mail.altsci.com>
+cc the author of gitview
On Tue, Dec 27, 2016 at 12:29 AM, Javantea <jvoss@altsci.com> wrote:
> I have found a shell injection vulnerability in contrib/gitview/gitview.
>
> Gitview Shell Injection Vulnerability
>
> Versions affected: 8cb711c8a5-1d1bdafd64 (<=2.11.0)
>
> Gitview executes shell commands using string concatenation with user supplied data, filenames and branch names. Running Gitview and interacting with the user interface with a malicious filename or branch name in the current repository results in malicious commands being executed as the current user.
>
> AnnotateWindow.add_file_data(self, filename, commit_sha1, line_num):
> fp = os.popen("git cat-file blob " + commit_sha1 +":"+filename)
>
> AnnotateWindow.annotate(self, filename, commit_sha1, line_num):
> fp = os.popen("git ls-tree "+ commit_sha1 + " -- " + filename)
> fp = os.popen("git blame --incremental -C -C -- " + filename + " " + commit_sha1)
>
> GitView.set_branch(self, args):
> fp = os.popen("git rev-parse --sq --default HEAD " + list_to_string(args, 1))
> fp = os.popen("git rev-list --header --topo-order --parents " + git_rev_list_cmd)
>
> The program also has other uses of os.popen but none use values that the user can manipulate. However, the fix should definitely replace these instances so that the code might one day pass pylint and manual code review easier.
>
> The function os.popen has been replaced by safer functions in the subprocess module. The code can be improved easily because it requires very little change to convert the code to work with arrays of strings instead of strings.
>
> If you have any questions or would like a patch, please let me know.
>
I guess you could send a patch to fix it. It is unclear to me
how the patch submission process for these work, though.
Please see contrib/README to see why it is unclear to me.
> I expect that things that start their life in the contrib/ area
> to graduate out of contrib/ once they mature, either by becoming
> projects on their own, or moving to the toplevel directory. On
> the other hand, I expect I'll be proposing removal of disused
> and inactive ones from time to time.
Maybe it's time for a spring cleanup and remove some old (dead?)
projects from contrib?
Thanks,
Stefan
next prev parent reply other threads:[~2016-12-27 18:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-27 8:29 Gitview Shell Injection Vulnerability Javantea
2016-12-27 18:45 ` Stefan Beller [this message]
2016-12-28 6:42 ` Jeff King
2016-12-28 17:28 ` [PATCH] contrib: remove gitview Stefan Beller
2016-12-29 1:59 ` Jeff King
2017-01-01 0:55 ` Junio C Hamano
2017-01-02 6:46 ` Aneesh Kumar K.V
2016-12-28 19:28 ` Javantea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGZ79kbOjpi4SBLPVaKXJ+L8VN+0N=ZqgDcHeYydkKsS20yR1Q@mail.gmail.com' \
--to=sbeller@google.com \
--cc=aneesh.kumar@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jvoss@altsci.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).