Re: bw/transport-protocol-policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Brandon Williams <bmwill@google.com>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: bw/transport-protocol-policy
Date: Thu, 1 Dec 2016 11:35:24 -0800	[thread overview]
Message-ID: <20161201193524.GC54082@google.com> (raw)
In-Reply-To: <20161201192055.44mtvtacyhpbqbqu@sigill.intra.peff.net>

On 12/01, Jeff King wrote:
> On Thu, Dec 01, 2016 at 10:14:15AM -0800, Brandon Williams wrote:
> 
> > >   1. The new policy config lets you say "only allow this protocol when
> > >      the user specifies it". But when http.c calls is_transport_allowed(),
> > >      the latter has no idea that we are asking it about potential
> > >      redirects (which obviously do _not_ come from the user), and would
> > >      erroneously allow them.
> > > 
> > >      I think this needs fixed before the topic is merged. It's not a
> > >      regression, as it only comes into play if you use the new policy
> > >      config. But it is a minor security hole in the new feature.
> > 
> > I agree and it should be an easy fix.  We can just add a parameter like
> > so:
> > 
> > diff --git a/transport.c b/transport.c
> > index 2c0ec76..d38d50f 100644
> > --- a/transport.c
> > +++ b/transport.c
> > @@ -723,7 +723,7 @@ static enum protocol_allow_config get_protocol_config(const char *type)
> >  	return PROTOCOL_ALLOW_USER_ONLY;
> >  }
> >  
> > -int is_transport_allowed(const char *type)
> > +int is_transport_allowed(const char *type, int redirect)
> >  {
> >  	const struct string_list *whitelist = protocol_whitelist();
> >  	if (whitelist)
> > @@ -735,7 +735,7 @@ int is_transport_allowed(const char *type)
> >  	case PROTOCOL_ALLOW_NEVER:
> >  		return 0;
> >  	case PROTOCOL_ALLOW_USER_ONLY:
> > -		return git_env_bool("GIT_PROTOCOL_FROM_USER", 1);
> > +		return git_env_bool("GIT_PROTOCOL_FROM_USER", !redirect);
> >  	}
> >  
> >  	die("BUG: invalid protocol_allow_config type");
> > 
> > That way the libcurl code can say it is asking if it is ok to redirect
> > to that protocol.
> 
> I wouldn't expect anyone to ever set GIT_PROTOCOL_FROM_USER=1, but it
> does behave in a funny way here, overriding the "redirect" flag. I think
> we'd want something more like:
> 
>   if (redirect < 0)
> 	redirect = git_env_bool("GIT_PROTOCOL_FROM_USER", 1);
> 
> and then pass in "-1" from transport_check_allowed().

I don't think I quite follow your solution but I came up with this:

  case PROTOCOL_ALLOW_USER_ONLY:
    return redirect ? 0 : git_env_bool("GIT_PROTOCOL_FROM_USER", 1);

Which should address the same issue.

-- 
Brandon Williams

next prev parent reply	other threads:[~2016-12-01 19:35 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-29  0:15 What's cooking in git.git (Nov 2016, #06; Mon, 28) Junio C Hamano
2016-11-29  1:05 ` Brandon Williams
2016-11-29  6:37   ` Jeff King
2016-11-29  6:51     ` Jeff King
2016-11-30 19:54       ` Brandon Williams
2016-11-30 23:28         ` Brandon Williams
2016-11-30 23:32           ` Jeff King
2016-11-30 23:40             ` Jeff King
2016-11-30 23:42               ` Brandon Williams
2016-11-30 23:46                 ` Jeff King
2016-11-30 23:57                   ` Brandon Williams
2016-11-30 23:59                   ` Jeff King
2016-12-01  0:04                     ` Jeff King
2016-12-01  0:08                       ` Brandon Williams
2016-12-01  0:14                         ` Stefan Beller
2016-12-01  1:14                           ` Brandon Williams
2016-12-01  0:06                     ` Brandon Williams
2016-12-01  0:19                       ` Jeff King
2016-11-30 23:43               ` Stefan Beller
2016-12-01  7:09               ` Johannes Sixt
2016-12-01  7:19                 ` Jeff King
2016-11-29  6:59 ` Jeff King
2016-11-29 18:31   ` Junio C Hamano
2016-11-29 18:37     ` Jeff King
2016-11-29 19:21 ` Stefan Beller
2016-11-29 19:26   ` Junio C Hamano
2016-11-29 19:29     ` Stefan Beller
2016-11-30  0:25   ` Stefan Beller
2016-12-01  8:30 ` bw/transport-protocol-policy Jeff King
2016-12-01 18:14   ` bw/transport-protocol-policy Brandon Williams
2016-12-01 19:20     ` bw/transport-protocol-policy Jeff King
2016-12-01 19:35       ` Brandon Williams [this message]
2016-12-01 19:46         ` bw/transport-protocol-policy Jeff King
2016-12-01 19:53           ` bw/transport-protocol-policy Brandon Williams

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161201193524.GC54082@google.com \
    --to=bmwill@google.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.