From: "H. Peter Anvin" <hpa@zytor.com>
To: Junio C Hamano <junkio@cox.net>
Cc: Johannes Schindelin <Johannes.Schindelin@gmx.de>, git@vger.kernel.org
Subject: Re: [RFC] daemon whitelist handling (Re: git pull aborts in 50% of cases)
Date: Sat, 03 Dec 2005 11:41:17 -0800 [thread overview]
Message-ID: <4391F4DD.2060002@zytor.com> (raw)
In-Reply-To: <7vzmnivuz8.fsf_-_@assigned-by-dhcp.cox.net>
Junio C Hamano wrote:
>
> For example, I can by mistake create a symbolic link:
>
> ln -s /home /pub/scm/git/git.git/oops
>
> now accesses /pub/scm/git/oops/hpa/secret.git/ is not
> restricted. We could hand-resolve the each level from the
> request to see if no "funny" symbolic links are involved, but
> what is the definition of "funny"? When we see /pub pointing at
> somewhere in /mnt/disk47/slice31, we should not complain. When
> we see "oops" under git in the above example, we would want to
> complain. These things are hard to get right.
>
Actually, it's a policy decision whether or not symlinks should be
allowed to exit space like that; in Apache, for example, it's a
configurable.
> I tend to say that the 0.99.9k (and the current master) rule to
> make validation always work on what getcwd() gives back is
> easier to understand (which generally means safer). Can I talk
> you into adjusting your whitelist on kernel.org machines?
I'm not happy about it, but it's not a huge deal on kernel.org.
However, I think it's the wrong thing, especially in the light of
allowing user-relative paths.
At the very least, if you insist on using getcwd() names, you should
pre-canonicalize the whitelist, too.
-hpa
next prev parent reply other threads:[~2005-12-03 19:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-02 19:04 git pull aborts in 50% of cases Alexey Dobriyan
2005-12-02 18:58 ` H. Peter Anvin
2005-12-02 21:12 ` Alexey Dobriyan
2005-12-02 21:02 ` H. Peter Anvin
2005-12-02 21:41 ` Junio C Hamano
2005-12-03 2:18 ` Johannes Schindelin
2005-12-03 2:26 ` Junio C Hamano
2005-12-03 4:22 ` H. Peter Anvin
2005-12-03 9:45 ` Junio C Hamano
2005-12-03 19:21 ` H. Peter Anvin
2005-12-03 19:30 ` [RFC] daemon whitelist handling (Re: git pull aborts in 50% of cases) Junio C Hamano
2005-12-03 19:41 ` H. Peter Anvin [this message]
2005-12-03 19:56 ` Linus Torvalds
2005-12-03 21:19 ` Junio C Hamano
2005-12-03 21:28 ` Junio C Hamano
2005-12-03 20:20 ` Junio C Hamano
2005-12-03 20:45 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4391F4DD.2060002@zytor.com \
--to=hpa@zytor.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=junkio@cox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.