From: Brandon Williams <bmwill@google.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org, sbeller@google.com, bburky@bburky.com,
jrnieder@gmail.com
Subject: Re: [PATCH v7 4/4] transport: add from_user parameter to is_transport_allowed
Date: Fri, 2 Dec 2016 09:33:49 -0800 [thread overview]
Message-ID: <20161202173349.GA117792@google.com> (raw)
In-Reply-To: <20161202001353.jiw4hjqg75dr6psw@sigill.intra.peff.net>
On 12/01, Jeff King wrote:
> On Thu, Dec 01, 2016 at 03:26:56PM -0800, Brandon Williams wrote:
>
> > > I started taking a look at your http redirect series (I really should
> > > have taking a look at it sooner) and I see exactly what you're talking
> > > about. We can easily move this logic into a function to make it easier
> > > to generate the two whitelists.
> >
> > Thinking about this some more...I was told that having http redirect to
> > file:// could be scary. The way the new protocol configuration is setup
> > we have file:// as a default known-safe protocol. Do we need to worry
> > about this or can we leave this be since this can be overridden by the
> > user?
>
> Hmm. I'm not sure if file:// should actually be USER_ONLY. The submodule
> code allows it, and it's certainly a convenience, but I guess you could
> do tricky things by probing somebody's filesystem with submodules URLs.
> On the other hand, if you are recursively cloning untrusted repos and
> have sensitive contents on disk, you really _should_ be setting up a
> protocol whitelist.
>
> For HTTP redirects within curl, I think it's a non-issue; curl
> automatically disallows file:// for redirects, even without us telling
> it so.
>
> For redirects via http-alternates, it's a bit more tricky, as we feed
> the URL to curl ourselves, so it can't tell the difference between
> trusted and untrusted input. The main protection provided by my series
> is "don't follow http-alternates at all". But assuming you did want to
> use them (by setting http.followRedirects to "true", at least for the
> server in question), we could then feed file:// directly to curl. But I
> think we are still OK, because the restricted CURLOPT_PROTOCOL setting
> would prevent that from working. I.e., git _never_ wants curl to handle
> file://, because it handles it without calling into remote-curl.c at
> all.
>
> So arguably file:// should be USER_ONLY, but I'm not sure how much it
> matters in practice.
Ah ok thanks for the good explanation. I was mostly interested in the
http redirect case which, as you said, becomes a non-issue due to how we
configure curl.
Thanks!
--
Brandon Williams
next prev parent reply other threads:[~2016-12-02 17:33 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-02 22:20 [PATCH] transport: add core.allowProtocol config option Brandon Williams
2016-11-02 22:41 ` Stefan Beller
2016-11-02 22:47 ` Brandon Williams
2016-11-02 23:05 ` Jeff King
2016-11-02 23:08 ` Jeff King
2016-11-02 23:34 ` Brandon Williams
2016-11-02 23:33 ` Brandon Williams
2016-11-02 23:46 ` Brandon Williams
2016-11-03 0:08 ` Jeff King
2016-11-03 0:22 ` Jonathan Nieder
2016-11-03 0:41 ` Blake Burkhart
2016-11-03 2:44 ` Junio C Hamano
2016-11-03 14:38 ` Jeff King
2016-11-03 17:25 ` Brandon Williams
2016-11-03 17:39 ` Stefan Beller
2016-11-03 17:51 ` Brandon Williams
2016-11-03 18:02 ` Jeff King
2016-11-03 18:08 ` Brandon Williams
2016-11-03 18:00 ` Jeff King
2016-11-03 17:53 ` Jeff King
2016-11-03 18:19 ` Brandon Williams
2016-11-03 18:25 ` Jeff King
2016-11-03 18:24 ` Jeff King
2016-11-03 18:45 ` Brandon Williams
2016-11-03 18:50 ` Jeff King
2016-11-03 18:56 ` Brandon Williams
2016-11-03 0:50 ` [PATCH v2] " Brandon Williams
2016-11-04 20:55 ` [PATCH v3] transport: add protocol policy " Brandon Williams
2016-11-04 20:58 ` Brandon Williams
2016-11-04 21:35 ` Stefan Beller
2016-11-04 23:09 ` Jeff King
2016-11-05 0:18 ` Brandon Williams
2016-11-04 22:38 ` Stefan Beller
2016-11-07 18:14 ` Brandon Williams
2016-11-04 23:06 ` Jeff King
2016-11-07 19:17 ` Brandon Williams
2016-11-07 19:35 ` [PATCH v4 1/2] lib-proto-disable: variable name fix Brandon Williams
2016-11-07 19:35 ` [PATCH v4 2/2] transport: add protocol policy config option Brandon Williams
2016-11-07 20:44 ` Jeff King
2016-11-07 21:02 ` Brandon Williams
2016-11-07 20:26 ` [PATCH v4 1/2] lib-proto-disable: variable name fix Jeff King
2016-11-07 20:40 ` Brandon Williams
2016-11-07 20:48 ` Jeff King
2016-11-08 3:32 ` Jacob Keller
2016-11-08 20:52 ` Junio C Hamano
2016-11-07 21:51 ` [PATCH v5 " Brandon Williams
2016-11-07 21:51 ` [PATCH v5 2/2] transport: add protocol policy config option Brandon Williams
2016-11-08 22:04 ` Jeff King
2016-11-08 22:05 ` Brandon Williams
2016-12-01 19:44 ` [PATCH v6 0/4] transport protocol policy configuration Brandon Williams
2016-12-01 19:44 ` [PATCH v6 1/4] lib-proto-disable: variable name fix Brandon Williams
2016-12-01 19:44 ` [PATCH v6 2/4] transport: add protocol policy config option Brandon Williams
2016-12-01 19:44 ` [PATCH v6 3/4] http: always warn if libcurl version is too old Brandon Williams
2016-12-01 19:44 ` [PATCH v6 4/4] transport: check if protocol can be used on a redirect Brandon Williams
2016-12-01 19:48 ` Brandon Williams
2016-12-01 19:49 ` Brandon Williams
2016-12-01 19:50 ` Jeff King
2016-12-01 19:54 ` Junio C Hamano
2016-12-01 19:59 ` Jeff King
2016-12-01 20:01 ` Brandon Williams
2016-12-01 20:25 ` [PATCH v7 0/4] transport protocol policy configuration Brandon Williams
2016-12-01 20:25 ` [PATCH v7 1/4] lib-proto-disable: variable name fix Brandon Williams
2016-12-01 20:25 ` [PATCH v7 2/4] transport: add protocol policy config option Brandon Williams
2016-12-01 20:25 ` [PATCH v7 3/4] http: always warn if libcurl version is too old Brandon Williams
2016-12-01 20:25 ` [PATCH v7 4/4] transport: add from_user parameter to is_transport_allowed Brandon Williams
2016-12-01 21:40 ` Jeff King
2016-12-01 22:25 ` Junio C Hamano
2016-12-01 23:07 ` Brandon Williams
2016-12-01 23:26 ` Brandon Williams
2016-12-02 0:13 ` Jeff King
2016-12-02 17:33 ` Brandon Williams [this message]
2016-12-01 23:34 ` Junio C Hamano
2016-12-01 23:58 ` Brandon Williams
2016-12-05 20:04 ` Junio C Hamano
2016-12-05 22:22 ` Brandon Williams
2016-12-05 23:19 ` Junio C Hamano
2016-12-05 23:22 ` Brandon Williams
2016-12-06 13:51 ` Jeff King
2016-12-06 17:53 ` Junio C Hamano
2016-12-06 18:10 ` Jeff King
2016-12-06 18:24 ` [PATCH v2] jk/http-walker-limit-redirect rebased to maint-2.9 Jeff King
2016-12-06 18:24 ` [PATCH v2 1/6] http: simplify update_url_from_redirect Jeff King
2016-12-06 18:24 ` [PATCH v2 2/6] http: always update the base URL for redirects Jeff King
2016-12-06 18:24 ` [PATCH v2 3/6] remote-curl: rename shadowed options variable Jeff King
2016-12-06 18:24 ` [PATCH v2 4/6] http: make redirects more obvious Jeff King
2016-12-06 18:24 ` [PATCH v2 5/6] http: treat http-alternates like redirects Jeff King
2016-12-06 18:25 ` [PATCH v2 6/6] http-walker: complain about non-404 loose object errors Jeff King
2016-12-06 22:24 ` [PATCH v7 4/4] transport: add from_user parameter to is_transport_allowed Brandon Williams
2016-12-02 0:00 ` [PATCH v8 0/5] transport protocol policy configuration Brandon Williams
2016-12-02 0:00 ` [PATCH v8 1/5] lib-proto-disable: variable name fix Brandon Williams
2016-12-02 0:00 ` [PATCH v8 2/5] transport: add protocol policy config option Brandon Williams
2016-12-02 0:01 ` [PATCH v8 3/5] http: always warn if libcurl version is too old Brandon Williams
2016-12-02 0:01 ` [PATCH v8 4/5] http: create function to get curl allowed protocols Brandon Williams
2016-12-02 0:01 ` [PATCH v8 5/5] transport: add from_user parameter to is_transport_allowed Brandon Williams
2016-12-14 1:40 ` [PATCH v9 0/5] transport protocol policy configuration Brandon Williams
2016-12-14 1:40 ` [PATCH v9 1/5] lib-proto-disable: variable name fix Brandon Williams
2016-12-14 1:40 ` [PATCH v9 2/5] transport: add protocol policy config option Brandon Williams
2016-12-14 1:40 ` [PATCH v9 3/5] http: always warn if libcurl version is too old Brandon Williams
2016-12-14 16:01 ` Jeff King
2016-12-14 17:56 ` Brandon Williams
2016-12-14 1:40 ` [PATCH v9 4/5] http: create function to get curl allowed protocols Brandon Williams
2016-12-14 16:03 ` Jeff King
2016-12-14 18:00 ` Brandon Williams
2016-12-14 1:40 ` [PATCH v9 5/5] transport: add from_user parameter to is_transport_allowed Brandon Williams
2016-12-14 16:40 ` Jeff King
2016-12-14 20:13 ` Brandon Williams
2016-12-14 20:33 ` Jeff King
2016-12-14 21:12 ` Jeff King
2016-12-14 21:58 ` Brandon Williams
[not found] ` <CAP3OtXiOPbAkr5Mn+5tEmZZAZzJXQ4CvtpHCg=wt+k-bi6K2vA@mail.gmail.com>
[not found] ` <CAP3OtXhH++szRws20MaHt-ftLBMUJuYiTmfL50mOFP4FA4Mn6Q@mail.gmail.com>
2016-12-14 22:52 ` Jeff King
2016-12-14 20:37 ` Brandon Williams
2016-12-14 20:41 ` Jeff King
2016-12-14 20:50 ` Brandon Williams
2016-12-14 22:39 ` [PATCH v10 0/6] transport protocol policy configuration Brandon Williams
2016-12-14 22:39 ` [PATCH v10 1/6] lib-proto-disable: variable name fix Brandon Williams
2016-12-14 22:39 ` [PATCH v10 2/6] http: always warn if libcurl version is too old Brandon Williams
2016-12-15 0:21 ` Jeff King
2016-12-15 17:29 ` Junio C Hamano
2016-12-14 22:39 ` [PATCH v10 3/6] transport: add protocol policy config option Brandon Williams
2016-12-14 22:39 ` [PATCH v10 4/6] http: create function to get curl allowed protocols Brandon Williams
2016-12-14 22:39 ` [PATCH v10 5/6] transport: add from_user parameter to is_transport_allowed Brandon Williams
2016-12-14 22:39 ` [PATCH v10 6/6] http: respect protocol.*.allow=user for http-alternates Brandon Williams
2016-12-14 23:25 ` [PATCH v10 0/6] transport protocol policy configuration Junio C Hamano
2016-12-15 0:22 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161202173349.GA117792@google.com \
--to=bmwill@google.com \
--cc=bburky@bburky.com \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.