git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: Junio C Hamano <gitster@pobox.com>
To: Josh Steadmon <steadmon@google.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 00/10] Advertise trace2 SID in protocol capabilities
Date: Fri, 30 Oct 2020 15:31:25 -0700	[thread overview]
Message-ID: <xmqq4kmb5osi.fsf@gitster.c.googlers.com> (raw)
In-Reply-To: <cover.1604006121.git.steadmon@google.com> (Josh Steadmon's message of "Thu, 29 Oct 2020 14:32:30 -0700")

Josh Steadmon <steadmon@google.com> writes:

> 2) upload-pack generally takes configuration via flags rather than
>   gitconfig. From offline discussions, it sounds like this is an
>   intentional choice to limit potential vulnerability from malicious
>   configs in local repositories accessed via the file:// URL scheme. Is
>   it reasonable to load the trace2.announceSID option from config files
>   in upload-pack, or should this be changed to a flag?

I do not know about your offline discussion, but it certainly would
make it easier to reason about the attack surface if we know it
never gets affected by any configuration files.

Having said that, upload-pack.c::upload_pack_config() already reads
a lot from the configuration file, many of these variables are named
"allowSomething", so...

IOW, I do not see why the announceSID (should it be in trace2.*
hierarchy, though?) needs to be treated in any more sensitive than
say uploadpack.allowrefinwant or *.allowfilter variables.

  parent reply	other threads:[~2020-10-30 22:31 UTC|newest]

Thread overview: 66+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-29 21:32 Josh Steadmon
2020-10-29 21:32 ` [PATCH 01/10] docs: new capability to advertise trace2 SIDs Josh Steadmon
2020-10-29 21:32 ` [PATCH 02/10] docs: new trace2.advertiseSID option Josh Steadmon
2020-10-29 21:32 ` [PATCH 03/10] upload-pack: advertise trace2 SID in v0 capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 04/10] receive-pack: " Josh Steadmon
2020-10-29 21:32 ` [PATCH 05/10] serve: advertise trace2 SID in v2 capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 06/10] transport: log received server trace2 SID Josh Steadmon
2020-10-29 21:32 ` [PATCH 07/10] fetch-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 08/10] upload-pack, serve: log received client trace2 SID Josh Steadmon
2020-10-29 21:32 ` [PATCH 09/10] send-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 10/10] receive-pack: log received client trace2 SID Josh Steadmon
2020-10-30 15:54 ` [PATCH 00/10] Advertise trace2 SID in protocol capabilities Jeff Hostetler
2020-11-02 22:20   ` Josh Steadmon
2020-11-03 21:22     ` Junio C Hamano
2020-11-05 21:01       ` Jeff Hostetler
2020-11-10 21:37       ` Josh Steadmon
2020-10-30 22:31 ` Junio C Hamano [this message]
2020-11-02 22:30 ` [PATCH v2 00/11] " Josh Steadmon
2020-11-02 22:30   ` [PATCH v2 01/11] docs: new capability to advertise trace2 SIDs Josh Steadmon
2020-11-03 21:33     ` Junio C Hamano
2020-11-05 21:00       ` Jeff Hostetler
2020-11-12 14:05         ` Ævar Arnfjörð Bjarmason
2020-11-12 17:32           ` Junio C Hamano
2020-11-12 22:10             ` Jeff Hostetler
2020-11-11 22:40       ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 02/11] docs: new trace2.advertiseSID option Josh Steadmon
2020-11-03 21:42     ` Junio C Hamano
2020-11-05 19:28       ` Josh Steadmon
2020-11-05 21:24         ` Junio C Hamano
2020-11-06 11:57           ` Johannes Schindelin
2020-11-02 22:31   ` [PATCH v2 03/11] trace2: add a public function for getting the SID Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 04/11] upload-pack: advertise trace2 SID in v0 capabilities Josh Steadmon
2020-11-03 21:48     ` Junio C Hamano
2020-11-05 18:44       ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 05/11] receive-pack: " Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 06/11] serve: advertise trace2 SID in v2 capabilities Josh Steadmon
2020-11-04 21:11     ` Junio C Hamano
2020-11-02 22:31   ` [PATCH v2 07/11] transport: log received server trace2 SID Josh Steadmon
2020-11-04 21:14     ` Junio C Hamano
2020-11-11 22:53       ` Josh Steadmon
2020-11-12 21:30         ` Jeff Hostetler
2020-11-02 22:31   ` [PATCH v2 08/11] fetch-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-11-04 21:22     ` Junio C Hamano
2020-11-05 18:58       ` Josh Steadmon
2020-11-05 19:21         ` Junio C Hamano
2020-11-11 23:32           ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 09/11] upload-pack, serve: log received client trace2 SID Josh Steadmon
2020-11-04 21:26     ` Junio C Hamano
2020-11-05 19:12       ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 10/11] send-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 11/11] receive-pack: log received client trace2 SID Josh Steadmon
2020-11-03  1:02   ` [PATCH v2 00/11] Advertise trace2 SID in protocol capabilities Junio C Hamano
2020-11-11 23:29 ` [PATCH v3 00/11] Advertise session ID " Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 01/11] docs: new capability to advertise session IDs Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 02/11] docs: new transfer.advertiseSID option Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 03/11] trace2: add a public function for getting the SID Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 04/11] upload-pack: advertise session ID in v0 capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 05/11] receive-pack: " Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 06/11] serve: advertise session ID in v2 capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 07/11] transport: log received server session ID Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 08/11] fetch-pack: advertise session ID in capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 09/11] upload-pack, serve: log received client session ID Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 10/11] send-pack: advertise session ID in capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 11/11] receive-pack: log received client session ID Josh Steadmon
2020-11-25 22:08   ` [PATCH v3 00/11] Advertise session ID in protocol capabilities Junio C Hamano
2020-11-25 22:56     ` Josh Steadmon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqq4kmb5osi.fsf@gitster.c.googlers.com \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=steadmon@google.com \
    --subject='Re: [PATCH 00/10] Advertise trace2 SID in protocol capabilities' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

git@vger.kernel.org list mirror (unofficial, one of many)

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 git git/ https://public-inbox.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://7fh6tueqddpjyxjmgtdiueylzoqt6pt7hec3pukyptlmohoowvhde4yd.onion/inbox.comp.version-control.git
	nntp://ie5yzdi7fg72h7s4sdcztq5evakq23rdt33mfyfcddc5u3ndnw24ogqd.onion/inbox.comp.version-control.git
	nntp://4uok3hntl7oi7b4uf4rtfwefqeexfzil2w6kgk2jn5z2f764irre7byd.onion/inbox.comp.version-control.git
	nntp://news.gmane.io/gmane.comp.version-control.git
 note: .onion URLs require Tor: https://www.torproject.org/

code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git