From: Jeff King <peff@peff.net>
To: Blake Burkhart <bburky@bburky.com>
Cc: Junio C Hamano <gitster@pobox.com>, git <git@vger.kernel.org>
Subject: Re: Limited local file inclusion with .mailmap symlinks and git-archive
Date: Mon, 15 Feb 2021 18:17:23 -0500 [thread overview]
Message-ID: <YCsBA002yv8XpppM@coredump.intra.peff.net> (raw)
In-Reply-To: <CAP3OtXj15f9XV=Rzz2oBXQ1TQH3WWKJGBbeaWrmp6Ha4ZTn9nA@mail.gmail.com>
On Sat, Feb 13, 2021 at 11:49:32AM -0600, Blake Burkhart wrote:
> I reported this issue to the private security list first and discussed
> this issue with Peff. This is similar to existing concerns with
> .gitmodules, .gitattributes and .gitignore. Git already disallows
> checking out a .gitmodules file from a repository, and I understand
> there are in progress patches to add similar protection for
> .gitattributes and .gitignore. Please ensure the .mailmap file gets
> similar symlink protection.
Thanks again for bringing this up.
Here are some patches that I think will help. They're meant to be
applied on the stalled jk/symlinked-dotgitx-files topic, which Junio has
been carrying in "seen" for a few months now.
The sticking point there was that we were concerned that the fsck checks
for .gitattributes/.gitignore would catch historical commits in real
projects, making them annoying to work with. So the first patch here
loosens those checks to warnings. I think this is safe enough, as the
real protection is in preventing checkouts in the index code paths (the
fsck checks are really just about protecting other clients using older
versions, but the severity of these attacks is so low that the tradeoff
doesn't make as much sense).
Obviously this could be squashed into the earlier patches, but I think
documenting the change of direction with a separate commit makes sense.
And then the second patch adds similar .mailmap support (also as a
warning, since I think it is largely in the same boat, and it makes
sense to be consistent).
[1/2]: fsck: make symlinked .gitignore and .gitattributes a warning
[2/2]: disallow symlinked .mailmap files
cache.h | 1 +
fsck.c | 10 ++++++++--
path.c | 5 +++++
read-cache.c | 6 ++++--
t/helper/test-path-utils.c | 5 +++++
t/t0060-path-utils.sh | 10 ++++++++++
t/t7450-bad-dotgitx-files.sh | 26 +++++++++++++++++++-------
utf8.c | 5 +++++
utf8.h | 1 +
9 files changed, 58 insertions(+), 11 deletions(-)
-Peff
next prev parent reply other threads:[~2021-02-15 23:18 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-13 17:49 Limited local file inclusion with .mailmap symlinks and git-archive Blake Burkhart
2021-02-15 23:17 ` Jeff King [this message]
2021-02-15 23:18 ` [PATCH 1/2] fsck: make symlinked .gitignore and .gitattributes a warning Jeff King
2021-02-16 0:38 ` Ævar Arnfjörð Bjarmason
2021-02-16 1:16 ` Jeff King
2021-02-16 1:56 ` Junio C Hamano
2021-02-16 12:54 ` Jeff King
2021-02-16 12:48 ` Jeff King
2021-02-16 14:43 ` [PATCH 0/6] open in-tree files with O_NOFOLLOW Jeff King
2021-02-16 14:44 ` [PATCH 1/6] add open_nofollow() helper Jeff King
2021-02-16 14:54 ` Jeff King
2021-02-16 15:44 ` Taylor Blau
2021-02-16 16:02 ` Jeff King
2021-02-16 16:07 ` Taylor Blau
2021-02-16 16:11 ` Taylor Blau
2021-02-16 16:19 ` Jeff King
2021-02-16 14:44 ` [PATCH 2/6] attr: convert "macro_ok" into a flags field Jeff King
2021-02-16 14:44 ` [PATCH 3/6] exclude: add flags parameter to add_patterns() Jeff King
2021-02-16 14:44 ` [PATCH 4/6] attr: do not respect symlinks for in-tree .gitattributes Jeff King
2021-02-16 14:44 ` [PATCH 5/6] exclude: do not respect symlinks for in-tree .gitignore Jeff King
2021-02-16 14:44 ` [PATCH 6/6] mailmap: do not respect symlinks for in-tree .mailmap Jeff King
2021-02-16 14:57 ` Jeff King
2021-02-25 19:25 ` [PATCH 0/6] open in-tree files with O_NOFOLLOW Junio C Hamano
2021-02-26 6:35 ` Jeff King
2021-02-15 23:19 ` [PATCH 2/2] disallow symlinked .mailmap files Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YCsBA002yv8XpppM@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=bburky@bburky.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).