From: Brandon Williams <bmwill@google.com>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: bw/transport-protocol-policy
Date: Thu, 1 Dec 2016 10:14:15 -0800 [thread overview]
Message-ID: <20161201181415.GA54082@google.com> (raw)
In-Reply-To: <20161201083005.dui572o4jxsqacas@sigill.intra.peff.net>
On 12/01, Jeff King wrote:
> On Mon, Nov 28, 2016 at 04:15:08PM -0800, Junio C Hamano wrote:
>
> > * bw/transport-protocol-policy (2016-11-09) 2 commits
> > (merged to 'next' on 2016-11-16 at 1391d3eeed)
> > + transport: add protocol policy config option
> > + lib-proto-disable: variable name fix
> >
> > Finer-grained control of what protocols are allowed for transports
> > during clone/fetch/push have been enabled via a new configuration
> > mechanism.
> >
> > Will cook in 'next'.
>
> I was looking at the way the http code feeds protocol restrictions to
> CURLOPT_REDIR_PROTOCOLS, and I think this topic is missing two elements:
>
> 1. The new policy config lets you say "only allow this protocol when
> the user specifies it". But when http.c calls is_transport_allowed(),
> the latter has no idea that we are asking it about potential
> redirects (which obviously do _not_ come from the user), and would
> erroneously allow them.
>
> I think this needs fixed before the topic is merged. It's not a
> regression, as it only comes into play if you use the new policy
> config. But it is a minor security hole in the new feature.
I agree and it should be an easy fix. We can just add a parameter like
so:
diff --git a/transport.c b/transport.c
index 2c0ec76..d38d50f 100644
--- a/transport.c
+++ b/transport.c
@@ -723,7 +723,7 @@ static enum protocol_allow_config get_protocol_config(const char *type)
return PROTOCOL_ALLOW_USER_ONLY;
}
-int is_transport_allowed(const char *type)
+int is_transport_allowed(const char *type, int redirect)
{
const struct string_list *whitelist = protocol_whitelist();
if (whitelist)
@@ -735,7 +735,7 @@ int is_transport_allowed(const char *type)
case PROTOCOL_ALLOW_NEVER:
return 0;
case PROTOCOL_ALLOW_USER_ONLY:
- return git_env_bool("GIT_PROTOCOL_FROM_USER", 1);
+ return git_env_bool("GIT_PROTOCOL_FROM_USER", !redirect);
}
die("BUG: invalid protocol_allow_config type");
That way the libcurl code can say it is asking if it is ok to redirect
to that protocol.
>
> 2. If your curl is too old to support CURLOPT_REDIR_PROTOCOLS, we will
> warn if there is a protocol whitelist in effect. But that check
> only covers the environment whitelist, and we do not warn if you
> restrict other protocols.
>
> I actually think this should probably just warn indiscriminately.
> Even without a Git protocol whitelist specified, the code serves to
> prevent curl from redirecting to bizarre protocols like smtp. The
> affected curl versions are from 2009 and prior, so I kind of doubt
> it matters much either way (I'm actually tempted to suggest we bump
> the minimum curl version there; there's a ton of #ifdef cruft going
> back to 2002-era versions of libcurl).
We should switch to warning all the time since this series adds in
default whitelisted/blacklisted protocols anyways.
--
Brandon Williams
next prev parent reply other threads:[~2016-12-01 18:14 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-29 0:15 What's cooking in git.git (Nov 2016, #06; Mon, 28) Junio C Hamano
2016-11-29 1:05 ` Brandon Williams
2016-11-29 6:37 ` Jeff King
2016-11-29 6:51 ` Jeff King
2016-11-30 19:54 ` Brandon Williams
2016-11-30 23:28 ` Brandon Williams
2016-11-30 23:32 ` Jeff King
2016-11-30 23:40 ` Jeff King
2016-11-30 23:42 ` Brandon Williams
2016-11-30 23:46 ` Jeff King
2016-11-30 23:57 ` Brandon Williams
2016-11-30 23:59 ` Jeff King
2016-12-01 0:04 ` Jeff King
2016-12-01 0:08 ` Brandon Williams
2016-12-01 0:14 ` Stefan Beller
2016-12-01 1:14 ` Brandon Williams
2016-12-01 0:06 ` Brandon Williams
2016-12-01 0:19 ` Jeff King
2016-11-30 23:43 ` Stefan Beller
2016-12-01 7:09 ` Johannes Sixt
2016-12-01 7:19 ` Jeff King
2016-11-29 6:59 ` Jeff King
2016-11-29 18:31 ` Junio C Hamano
2016-11-29 18:37 ` Jeff King
2016-11-29 19:21 ` Stefan Beller
2016-11-29 19:26 ` Junio C Hamano
2016-11-29 19:29 ` Stefan Beller
2016-11-30 0:25 ` Stefan Beller
2016-12-01 8:30 ` bw/transport-protocol-policy Jeff King
2016-12-01 18:14 ` Brandon Williams [this message]
2016-12-01 19:20 ` bw/transport-protocol-policy Jeff King
2016-12-01 19:35 ` bw/transport-protocol-policy Brandon Williams
2016-12-01 19:46 ` bw/transport-protocol-policy Jeff King
2016-12-01 19:53 ` bw/transport-protocol-policy Brandon Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161201181415.GA54082@google.com \
--to=bmwill@google.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.