Re: Fetch/push lets a malicious server steal the targets of "have" lines

git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed

From: Junio C Hamano <gitster@pobox.com>
To: Matt McCutchen <matt@mattmccutchen.net>
Cc: git@vger.kernel.org
Subject: Re: Fetch/push lets a malicious server steal the targets of "have" lines
Date: Sun, 30 Oct 2016 01:03:17 -0700	[thread overview]
Message-ID: <xmqqtwbuuuuy.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <1477757268.1524.20.camel@mattmccutchen.net> (Matt McCutchen's message of "Sat, 29 Oct 2016 12:07:48 -0400")

Matt McCutchen <matt@mattmccutchen.net> writes:

> On Fri, 2016-10-28 at 22:31 -0700, Junio C Hamano wrote:
>> Not sending to the list, where mails from Gmail/phone is known to get
>> rejected.
>
> [I guess I can go ahead and quote this to the list.]
>
>> No. I'm saying that the scenario you gave is bad and people should be
>> taught not to connect to untrustworthy sites.
>
> To clarify, are you saying:
>
> (1) don't connect to an untrusted server ever (e.g., we don't promise
> that the server can't execute arbitrary code on the client), or
>
> (2) don't connect to an untrusted server if the client repository has
> data that needs to be kept secret from the server?

You sneaked "arbitrary code execution" into the discussion but I do
not know where it came from.  In any case, "don't pull from or push
to untrustworthy place" would be a common sense advice that would
make sense in any scenario ;-)

Just for future reference, when you have ideas/issues that might
have possible security ramifications, I'd prefer to see it first
discussed on a private list we created for that exact purpose, until
we can assess the impact (if any).  Right now MaintNotes says this:

    If you think you found a security-sensitive issue and want to disclose
    it to us without announcing it to wider public, please contact us at
    our security mailing list <git-security@googlegroups.com>.  This is
    a closed list that is limited to people who need to know early about
    vulnerabilities, including:

      - people triaging and fixing reported vulnerabilities
      - people operating major git hosting sites with many users
      - people packaging and distributing git to large numbers of people

    where these issues are discussed without risk of the information
    leaking out before we're ready to make public announcements.

We may want to tweak the description from "disclose it to us" to
"have a discussion on it with us" (the former makes it sound as if
the topic has to be a definite problem, the latter can include an
idle speculation that may not be realistic attack vector).

next prev parent reply	other threads:[~2016-10-30  8:03 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-28 21:39 Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-28 22:00 ` Junio C Hamano
2016-10-28 22:16   ` Matt McCutchen
2016-10-29  1:11     ` Junio C Hamano
2016-10-29  3:33       ` Matt McCutchen
2016-10-29 13:39         ` Jeff King
2016-10-29 16:08           ` Matt McCutchen
2016-10-29 19:10             ` Jeff King
2016-10-30  7:53               ` Junio C Hamano
2016-11-13  1:25                 ` [PATCH] fetch/push: document that private data can be leaked Matt McCutchen
2016-11-14  2:57                   ` Junio C Hamano
2016-11-14 18:28                     ` Matt McCutchen
2016-11-14 18:20                       ` [PATCH] doc: mention transfer data leaks in more places Matt McCutchen
2016-11-14 19:19                         ` Junio C Hamano
2016-11-14 19:00                       ` [PATCH] fetch/push: document that private data can be leaked Junio C Hamano
2016-11-14 19:07                         ` Jeff King
2016-11-14 19:47                           ` Junio C Hamano
2016-11-14 19:08                         ` Matt McCutchen
     [not found]         ` <CAPc5daVOxmowdiTU3ScFv6c_BRVEJ+G92gx_AmmKnR-WxUKv-Q@mail.gmail.com>
2016-10-29 16:07           ` Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-30  8:03             ` Junio C Hamano [this message]
2016-11-13  2:10               ` Matt McCutchen
2016-10-29 17:38       ` Jon Loeliger
2016-10-30  8:16         ` Junio C Hamano
2016-11-13  2:44           ` Matt McCutchen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqqtwbuuuuy.fsf@gitster.mtv.corp.google.com \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=matt@mattmccutchen.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).