From: Blake Burkhart <bburky@bburky.com>
To: Jeff King <peff@peff.net>
Cc: Shawn Pearce <spearce@spearce.org>, git <git@vger.kernel.org>
Subject: Re: RFC: Resumable clone based on hybrid "smart" and "dumb" HTTP
Date: Fri, 12 Feb 2016 19:40:43 -0600 [thread overview]
Message-ID: <CAP3OtXjyy+7cSi0S17FSsx8gnP1rKboeSAz_Hz1ZNVDuqcGASw@mail.gmail.com> (raw)
In-Reply-To: <20160210214945.GA5853@sigill.intra.peff.net>
On Wed, Feb 10, 2016 at 3:49 PM, Jeff King <peff@peff.net> wrote:
>> 2. Servers that support resumable clone include a "resumable"
>> capability in the advertisement.
>
> Because the magic happens in the git protocol, that would mean this does
> not have to be limited to git-over-http. It could be "resumable=<url>"
> to point the client anywhere (the same server over a different protocol,
> another server, etc).
I'd like to call this out as a possible security issue before it gets
implemented. Allowing the server to instruct the client what protocol
to use is a security risk. This sounds like a fine feature, just do it
carefully.
I reported a similar issue was discussed off list which eventually
became CVE-2015-7545. Basically, git-submodule allowed a repository to
specify any protocol via .gitmodules, causing the client to fetch an
arbitrary URL using a protocol of the attacker's choice. Sadly, the
existence of git-remote-ext allows easily executing arbitrary shell
commands if the server can tell the client to use it. Furthermore,
it's possible the client has some insecure or sensitive custom git
remote helpers installed.
To address this GIT_ALLOW_PROTOCOL was introduced, and git-submodule
now uses it as of 33cfccb. This environment variable specifies a
default whitelist of protocols. Whoever implements this should
probably make use of GIT_ALLOW_PROTOCOL to limit resumable clones to
the same default whitelist that git-submodule now uses.
--
Blake Burkhart
next prev parent reply other threads:[~2016-02-13 1:41 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-10 18:59 RFC: Resumable clone based on hybrid "smart" and "dumb" HTTP Shawn Pearce
2016-02-10 20:11 ` Shawn Pearce
2016-02-10 20:23 ` Stefan Beller
2016-02-10 20:57 ` Junio C Hamano
2016-02-10 21:22 ` Jonathan Nieder
2016-02-10 22:03 ` Jeff King
2016-02-10 21:01 ` Jonathan Nieder
2016-02-10 21:07 ` Junio C Hamano
2016-02-11 3:43 ` Junio C Hamano
2016-02-11 18:04 ` Shawn Pearce
2016-02-11 23:53 ` Duy Nguyen
2016-02-13 5:07 ` Junio C Hamano
2016-02-10 21:49 ` Jeff King
2016-02-10 22:17 ` Jonathan Nieder
2016-02-10 23:03 ` Jeff King
2016-02-10 22:40 ` Junio C Hamano
2016-02-11 21:32 ` Junio C Hamano
2016-02-11 21:46 ` Jeff King
2016-02-13 1:40 ` Blake Burkhart [this message]
2016-02-13 17:00 ` Jeff King
2016-02-14 2:14 ` Shawn Pearce
2016-02-14 17:05 ` Jeff King
2016-02-14 17:56 ` Shawn Pearce
2016-02-16 18:34 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAP3OtXjyy+7cSi0S17FSsx8gnP1rKboeSAz_Hz1ZNVDuqcGASw@mail.gmail.com \
--to=bburky@bburky.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).