From: Junio C Hamano <gitster@pobox.com>
To: Josh Steadmon <steadmon@google.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 00/10] Advertise trace2 SID in protocol capabilities
Date: Fri, 30 Oct 2020 15:31:25 -0700 [thread overview]
Message-ID: <xmqq4kmb5osi.fsf@gitster.c.googlers.com> (raw)
In-Reply-To: <cover.1604006121.git.steadmon@google.com> (Josh Steadmon's message of "Thu, 29 Oct 2020 14:32:30 -0700")
Josh Steadmon <steadmon@google.com> writes:
> 2) upload-pack generally takes configuration via flags rather than
> gitconfig. From offline discussions, it sounds like this is an
> intentional choice to limit potential vulnerability from malicious
> configs in local repositories accessed via the file:// URL scheme. Is
> it reasonable to load the trace2.announceSID option from config files
> in upload-pack, or should this be changed to a flag?
I do not know about your offline discussion, but it certainly would
make it easier to reason about the attack surface if we know it
never gets affected by any configuration files.
Having said that, upload-pack.c::upload_pack_config() already reads
a lot from the configuration file, many of these variables are named
"allowSomething", so...
IOW, I do not see why the announceSID (should it be in trace2.*
hierarchy, though?) needs to be treated in any more sensitive than
say uploadpack.allowrefinwant or *.allowfilter variables.
next prev parent reply other threads:[~2020-10-30 22:31 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-29 21:32 [PATCH 00/10] Advertise trace2 SID in protocol capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 01/10] docs: new capability to advertise trace2 SIDs Josh Steadmon
2020-10-29 21:32 ` [PATCH 02/10] docs: new trace2.advertiseSID option Josh Steadmon
2020-10-29 21:32 ` [PATCH 03/10] upload-pack: advertise trace2 SID in v0 capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 04/10] receive-pack: " Josh Steadmon
2020-10-29 21:32 ` [PATCH 05/10] serve: advertise trace2 SID in v2 capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 06/10] transport: log received server trace2 SID Josh Steadmon
2020-10-29 21:32 ` [PATCH 07/10] fetch-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 08/10] upload-pack, serve: log received client trace2 SID Josh Steadmon
2020-10-29 21:32 ` [PATCH 09/10] send-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 10/10] receive-pack: log received client trace2 SID Josh Steadmon
2020-10-30 15:54 ` [PATCH 00/10] Advertise trace2 SID in protocol capabilities Jeff Hostetler
2020-11-02 22:20 ` Josh Steadmon
2020-11-03 21:22 ` Junio C Hamano
2020-11-05 21:01 ` Jeff Hostetler
2020-11-10 21:37 ` Josh Steadmon
2020-10-30 22:31 ` Junio C Hamano [this message]
2020-11-02 22:30 ` [PATCH v2 00/11] " Josh Steadmon
2020-11-02 22:30 ` [PATCH v2 01/11] docs: new capability to advertise trace2 SIDs Josh Steadmon
2020-11-03 21:33 ` Junio C Hamano
2020-11-05 21:00 ` Jeff Hostetler
2020-11-12 14:05 ` Ævar Arnfjörð Bjarmason
2020-11-12 17:32 ` Junio C Hamano
2020-11-12 22:10 ` Jeff Hostetler
2020-11-11 22:40 ` Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 02/11] docs: new trace2.advertiseSID option Josh Steadmon
2020-11-03 21:42 ` Junio C Hamano
2020-11-05 19:28 ` Josh Steadmon
2020-11-05 21:24 ` Junio C Hamano
2020-11-06 11:57 ` Johannes Schindelin
2020-11-02 22:31 ` [PATCH v2 03/11] trace2: add a public function for getting the SID Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 04/11] upload-pack: advertise trace2 SID in v0 capabilities Josh Steadmon
2020-11-03 21:48 ` Junio C Hamano
2020-11-05 18:44 ` Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 05/11] receive-pack: " Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 06/11] serve: advertise trace2 SID in v2 capabilities Josh Steadmon
2020-11-04 21:11 ` Junio C Hamano
2020-11-02 22:31 ` [PATCH v2 07/11] transport: log received server trace2 SID Josh Steadmon
2020-11-04 21:14 ` Junio C Hamano
2020-11-11 22:53 ` Josh Steadmon
2020-11-12 21:30 ` Jeff Hostetler
2020-11-02 22:31 ` [PATCH v2 08/11] fetch-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-11-04 21:22 ` Junio C Hamano
2020-11-05 18:58 ` Josh Steadmon
2020-11-05 19:21 ` Junio C Hamano
2020-11-11 23:32 ` Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 09/11] upload-pack, serve: log received client trace2 SID Josh Steadmon
2020-11-04 21:26 ` Junio C Hamano
2020-11-05 19:12 ` Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 10/11] send-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-11-02 22:31 ` [PATCH v2 11/11] receive-pack: log received client trace2 SID Josh Steadmon
2020-11-03 1:02 ` [PATCH v2 00/11] Advertise trace2 SID in protocol capabilities Junio C Hamano
2020-11-11 23:29 ` [PATCH v3 00/11] Advertise session ID " Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 01/11] docs: new capability to advertise session IDs Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 02/11] docs: new transfer.advertiseSID option Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 03/11] trace2: add a public function for getting the SID Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 04/11] upload-pack: advertise session ID in v0 capabilities Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 05/11] receive-pack: " Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 06/11] serve: advertise session ID in v2 capabilities Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 07/11] transport: log received server session ID Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 08/11] fetch-pack: advertise session ID in capabilities Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 09/11] upload-pack, serve: log received client session ID Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 10/11] send-pack: advertise session ID in capabilities Josh Steadmon
2020-11-11 23:29 ` [PATCH v3 11/11] receive-pack: log received client session ID Josh Steadmon
2020-11-25 22:08 ` [PATCH v3 00/11] Advertise session ID in protocol capabilities Junio C Hamano
2020-11-25 22:56 ` Josh Steadmon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq4kmb5osi.fsf@gitster.c.googlers.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=steadmon@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).