git format-patch --in-reply-to allows header injection. Intended?

git format-patch --in-reply-to allows header injection. Intended?

[Niklas Hambüchen]

Hi,

I just wanted to ask if the --in-reply-to flag of git format-patch is
supposed to write the given string unmodified into the email or whether
it ought to perform some check against header injection.

For example, if you pass "--in-reply-to=<msgid>\nTo: <other@example.com"
(notice lack of trailing `>`), then the generated email will actually
contain a
  To: <other@example.com>
header.

(Depending on your shell you might also use "--in-reply-to=`cat`" to get
the above working more easily.)

Is this known and working as intended, or undesired?

Thanks!
Niklas

Re: git format-patch --in-reply-to allows header injection. Intended?

[Junio C Hamano]

Niklas Hambüchen <mail@nh2.me> writes:

> For example, if you pass "--in-reply-to=<msgid>\nTo: <other@example.com"
> (notice lack of trailing `>`), then the generated email will actually
> contain a
>   To: <other@example.com>
> header.

While I do not think of a reason to specify such a string to the
in-reply-to option (I'd rather edit the output in the editor if I
wanted to do anything fancy [*1*]), I do not think there is a reason
why you want to add a code to forbid such use, either.


[Footnote]

*1* For that matter, --in-reply-to option itself is superfluous.

Re: git format-patch --in-reply-to allows header injection. Intended?

[Niklas Hambüchen]

On 04/09/14 23:36, Junio C Hamano wrote:
> While I do not think of a reason to specify such a string to the
> in-reply-to option (I'd rather edit the output in the editor if I
> wanted to do anything fancy [*1*]), I do not think there is a reason
> why you want to add a code to forbid such use, either.

My question was to find out whether I can pass untrusted user input to
--in-reply-to and expect that no header beyond "In-Reply-To" and
"References" is modified, but your answer makes clear that I cannot.

A possible alternative might have been that git verifies that the input
to --in-reply-to matches the format specified RFC2822 (section 3.6.4.).

Thanks!

Re: git format-patch --in-reply-to allows header injection. Intended?

[Junio C Hamano]

Niklas Hambüchen <mail@nh2.me> writes:

> On 04/09/14 23:36, Junio C Hamano wrote:
>> While I do not think of a reason to specify such a string to the
>> in-reply-to option (I'd rather edit the output in the editor if I
>> wanted to do anything fancy [*1*]), I do not think there is a reason
>> why you want to add a code to forbid such use, either.
>
> My question was to find out whether I can pass untrusted user input to
> ...

Ah, in general, anybody who passes unvetted user input to any Git
Porcelain deserves what s/he gets, so perhaps you would want to at
least make sure that the input is a single line, or something.