From: Jonathan Nieder <jrnieder@gmail.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Jeff King <peff@peff.net>,
Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Ilya Tretyakov <it@it3xl.ru>
Subject: Re: [PATCH 0/3] credential: handle partial URLs in config settings again
Date: Wed, 22 Apr 2020 15:47:11 -0700 [thread overview]
Message-ID: <20200422224711.GC140314@google.com> (raw)
In-Reply-To: <nycvar.QRO.7.76.6.2004230019170.18039@tvgsbejvaqbjf.bet>
Hi,
Johannes Schindelin wrote:
> On Wed, 22 Apr 2020, Jeff King wrote:
>> On Wed, Apr 22, 2020 at 08:51:02PM +0000, Johannes Schindelin via GitGitGadget wrote:
>>> Please note that Git v2.17.4 will not do what we would expect here: if any
>>> host name (without protocol) is specified, e.g. -c
>>> credential.golli.wog.username = boo, it will actually ignore the host name.
>>> That is, this will populate the username:
>>>
>>> $ echo url=https://example.com |
>>> git -c credential.totally.bog.us.username=foo credential fill
>>
>> That seems scary. What if it is not .username, but:
>>
>> [credential "example.com"]
>> username = foo
>> helper = "!echo password=bar"
>>
>> ? (Or you can imagine a helper that is pulling from a read-only store,
>> like "pass"). That would send the credential to the wrong host.
>
> It would. But I am not aware of any implications regarding `.gitmodules`
> (for some reason I now expect every bug to open an attack vector via
> submodules, I wonder why that is), so that's at least good.
Submodules are only one of many ways that people end up cloning from
an attacker-controlled URL. In submodules we're careful not to use
--recurse-submodules by default at clone time. So I'll mentally
subsitute "attacker-controlled URLs" where you say "submodules". ;-)
I agree with Peff's concern about the unpatched state: since there are
people who use `[credential "host.example.com"] helper` and there are
credential helpers that ignore the host passed in, the combination can
hurt people. (Fortunately, there aren't many credential helpers in
that category that are commonly used.)
[...]
> Yes. For the record, I tried to be very careful here. The _only_ code path
> that is affected by this change is the config reading.
[...]
> But again, I would love another pair of eyes on this, to confirm my
> analysis.
As mentioned above, the config reading is sensitive, too. That said,
I suspect you got it to do basically the right thing.
Reading through the patches. Thank you.
Jonathan
next prev parent reply other threads:[~2020-04-22 22:47 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 20:51 [PATCH 0/3] credential: handle partial URLs in config settings again Johannes Schindelin via GitGitGadget
2020-04-22 20:51 ` [PATCH 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-22 23:29 ` Jonathan Nieder
2020-04-22 20:51 ` [PATCH 2/3] credential: teach `credential_from_url()` a non-strict mode Johannes Schindelin via GitGitGadget
2020-04-22 22:29 ` Junio C Hamano
2020-04-22 22:50 ` Johannes Schindelin
2020-04-22 23:02 ` Junio C Hamano
2020-04-22 23:38 ` Jonathan Nieder
2020-04-23 0:02 ` Carlo Arenas
2020-04-23 13:28 ` Johannes Schindelin
2020-04-23 21:22 ` Carlo Marcelo Arenas Belón
2020-04-23 22:03 ` Johannes Schindelin
2020-04-23 22:11 ` Junio C Hamano
2020-04-23 22:16 ` Junio C Hamano
2020-04-23 23:22 ` Johannes Schindelin
2020-04-23 22:50 ` Johannes Schindelin
2020-04-22 20:51 ` [PATCH 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-22 23:57 ` Jonathan Nieder
2020-04-23 23:19 ` Johannes Schindelin
2020-04-22 22:13 ` [PATCH 0/3] credential: handle partial URLs in config settings again Jeff King
2020-04-22 22:26 ` Johannes Schindelin
2020-04-22 22:47 ` Jonathan Nieder [this message]
2020-04-23 22:11 ` Johannes Schindelin
2020-04-23 23:43 ` [PATCH v2 " Johannes Schindelin via GitGitGadget
2020-04-23 23:43 ` [PATCH v2 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-23 23:43 ` [PATCH v2 2/3] credential: optionally allow partial URLs in credential_from_url_gently() Johannes Schindelin via GitGitGadget
2020-04-23 23:43 ` [PATCH v2 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-24 0:05 ` Carlo Marcelo Arenas Belón
2020-04-24 0:16 ` Johannes Schindelin
2020-04-24 0:39 ` Carlo Marcelo Arenas Belón
2020-04-24 11:34 ` Johannes Schindelin
2020-04-24 0:34 ` Junio C Hamano
2020-04-24 0:40 ` Junio C Hamano
2020-04-24 11:36 ` Johannes Schindelin
2020-04-24 0:49 ` [PATCH v2 0/3] credential: handle partial URLs in config settings again Carlo Marcelo Arenas Belón
2020-04-24 11:49 ` [PATCH v3 " Johannes Schindelin via GitGitGadget
2020-04-24 11:49 ` [PATCH v3 1/3] credential: fix grammar Johannes Schindelin via GitGitGadget
2020-04-24 11:49 ` [PATCH v3 2/3] credential: optionally allow partial URLs in credential_from_url_gently() Johannes Schindelin via GitGitGadget
2020-04-24 11:49 ` [PATCH v3 3/3] credential: handle `credential.<partial-URL>.<key>` again Johannes Schindelin via GitGitGadget
2020-04-24 15:23 ` Carlo Marcelo Arenas Belón
2020-04-25 10:43 ` Johannes Schindelin
2020-04-24 22:20 ` Junio C Hamano
2020-04-24 22:29 ` Johannes Schindelin
2020-04-28 23:13 ` Junio C Hamano
2020-04-29 14:58 ` Johannes Schindelin
2020-04-29 15:36 ` Junio C Hamano
2020-05-01 19:58 ` Johannes Schindelin
2020-05-01 20:01 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200422224711.GC140314@google.com \
--to=jrnieder@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=it@it3xl.ru \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.