From: "H. Peter Anvin" <hpa@zytor.com>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Git Mailing List <git@vger.kernel.org>
Subject: Re: [PATCH] git-daemon extra paranoia
Date: Tue, 18 Oct 2005 17:43:55 -0700 [thread overview]
Message-ID: <435596CB.6070401@zytor.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0510181728490.3369@g5.osdl.org>
Linus Torvalds wrote:
> And just appending ".git" is _not_ badly designed/specified. I did think
> about the boundary cases, and it's entirely safe:
>
> - it can't result in "surprises": if the original pathname doesn't exist,
> then even if there is a race and it got created in between the two
> chdir's as a directory and the name had a slash at the end, adding
> ".git" is actually safe even if it succeeds: it won't take us anywhere
> surprising. At worst it will take us to the ".git" directory of a newly
> added git archive, but that's what we wanted anyway, so..
>
> - you can't create ".." with it - even if the passed-in filename ended
> with "xyz/.", you'll end up with a perfectly safe "xyz/..git", so any
> safety checks that were done on the original pathname are still valid
> when appending ".git" to it.
>
> - and exactly because we don't append slashes or anything like that, the
> end result won't even have anything ambiguous like "//" in it.
>
> So it really doesn't have any downsides that I can see.
>
Consider the whitelist/blacklist scenario I described in the previous
email. You have:
whitelist: /pub/scm
blacklist: /pub/scm/foo/bar.git
If you can bypass the blacklist by using the pathname /pub/scm/foo/bar,
that's bad.
>
>>The DWIM aspect is fine, of course, but it has to be done up front: instead of
>>doing just chdir(), each path should be validated through path_ok() before
>>even being considered for chdir(). Perhaps the right thing to do is to
>>combine the two functions.
>
> Sure, you could do that, and just replace path_ok + chdir with a
> "safe_chdir()". I don't really see the point, unless you want to walk the
> path one component at a time, though (which is really quite expensive).
>
The only reason to do that is to make it less likely that a future
programmer would screw it up.
-hpa
next prev parent reply other threads:[~2005-10-19 0:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-18 20:54 [PATCH] git-daemon extra paranoia H. Peter Anvin
2005-10-18 21:19 ` Junio C Hamano
2005-10-18 21:29 ` H. Peter Anvin
2005-10-18 22:08 ` H. Peter Anvin
2005-10-18 22:13 ` [PATCH] Revised - " H. Peter Anvin
2005-10-18 22:25 ` [PATCH] " Linus Torvalds
2005-10-18 22:47 ` Junio C Hamano
2005-10-18 23:21 ` Linus Torvalds
2005-10-19 0:21 ` H. Peter Anvin
2005-10-19 0:41 ` Linus Torvalds
2005-10-19 0:43 ` H. Peter Anvin [this message]
2005-10-19 1:18 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=435596CB.6070401@zytor.com \
--to=hpa@zytor.com \
--cc=git@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.