From: Brandon Williams <bmwill@google.com>
To: Ramsay Jones <ramsay@ramsayjones.plus.com>
Cc: Jeff King <peff@peff.net>,
git@vger.kernel.org, Jann Horn <jannh@google.com>
Subject: Re: [PATCH 2/6] http: always update the base URL for redirects
Date: Thu, 1 Dec 2016 14:53:31 -0800 [thread overview]
Message-ID: <20161201225331.GH54082@google.com> (raw)
In-Reply-To: <331124b5-aa2b-773c-23ac-975ad3f50dbf@ramsayjones.plus.com>
On 12/01, Ramsay Jones wrote:
>
>
> On 01/12/16 09:04, Jeff King wrote:
> > If a malicious server redirects the initial ref
> > advertisement, it may be able to leak sha1s from other,
> > unrelated servers that the client has access to. For
> > example, imagine that Alice is a git user, she has access to
> > a private repository on a server hosted by Bob, and Mallory
> > runs a malicious server and wants to find out about Bob's
> > private repository.
> >
> > Mallory asks Alice to clone an unrelated repository from her
> -----------------------------------------------------------^^^
> ... from _him_ ? (ie Mallory)
>
> > over HTTP. When Alice's client contacts Mallory's server for
> > the initial ref advertisement, the server issues an HTTP
> > redirect for Bob's server. Alice contacts Bob's server and
> > gets the ref advertisement for the private repository. If
> > there is anything to fetch, she then follows up by asking
> > the server for one or more sha1 objects. But who is the
> > server?
> >
> > If it is still Mallory's server, then Alice will leak the
> > existence of those sha1s to her.
> ------------------------------^^^
> ... to _him_ ? (again Mallory)
>
> ATB,
> Ramsay Jones
Depends, I only know Mallorys who are women so her seems appropriate.
--
Brandon Williams
next prev parent reply other threads:[~2016-12-01 22:53 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-01 9:03 [PATCH 0/6] restricting http redirects Jeff King
2016-12-01 9:03 ` [PATCH 1/6] http: simplify update_url_from_redirect Jeff King
2016-12-01 9:04 ` [PATCH 2/6] http: always update the base URL for redirects Jeff King
2016-12-01 16:02 ` Ramsay Jones
2016-12-01 22:53 ` Brandon Williams [this message]
2016-12-01 23:12 ` Philip Oakley
2016-12-01 23:43 ` Junio C Hamano
2016-12-02 0:07 ` Ramsay Jones
2016-12-02 0:18 ` Jeff King
2016-12-02 1:21 ` Ramsay Jones
2016-12-01 9:04 ` [PATCH 3/6] remote-curl: rename shadowed options variable Jeff King
2016-12-01 9:04 ` [PATCH 4/6] http: make redirects more obvious Jeff King
2016-12-01 16:06 ` Ramsay Jones
2016-12-01 9:04 ` [PATCH 5/6] http: treat http-alternates like redirects Jeff King
2016-12-01 23:02 ` Brandon Williams
2016-12-02 0:06 ` Jeff King
2016-12-01 9:04 ` [PATCH 6/6] http-walker: complain about non-404 loose object errors Jeff King
2016-12-05 13:08 ` [PATCH 0/6] restricting http redirects Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161201225331.GH54082@google.com \
--to=bmwill@google.com \
--cc=git@vger.kernel.org \
--cc=jannh@google.com \
--cc=peff@peff.net \
--cc=ramsay@ramsayjones.plus.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.