From: Jeff King <peff@peff.net>
To: Erik Faye-Lund <kusmabite@gmail.com>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: [PATCH 0/2] upload-archive security issues
Date: Tue, 15 Nov 2011 17:23:20 -0500 [thread overview]
Message-ID: <20111115222320.GA28646@sigill.intra.peff.net> (raw)
In-Reply-To: <CABPQNSZ71==pQvH9nTQ3rD6c1RJiLmkA+k_9KS=T45cQb+PTLA@mail.gmail.com>
On Tue, Nov 15, 2011 at 11:01:09PM +0100, Erik Faye-Lund wrote:
> Yikes! Perhaps the whole deal of rewriting the code to take explicit
> file descriptors (and/or dup-bonanza) would have been the better
> choice after all?
It's certainly simpler. This way is not that hard to fix; we just need
to be more careful about the code path getting from upload-archive into
write_archive.
> For the record: I would be fine with c09cd77e simply being reverted
> for this release, and having a better version applied in the near
> future. Windows support for upload-archive is not worth the risk of
> slipping in a remote code execution bug...
I'd be OK with that, too.
> Not only did you fail to spot them, you actually wrote that part of the code ;)
>
> http://article.gmane.org/gmane.comp.version-control.git/178098
>
> (I don't mean to shift blame over to you, I'm the one who should have
> spent more time thinking about this as this was "my" series)
Heh. I did say "something like this" in that message, which is usually a
sure sign I haven't actually thought too hard about the code I'm about
to write. I'll be content to share the blame equally with you. :)
-Peff
next prev parent reply other threads:[~2011-11-15 22:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-15 21:42 [PATCH 0/2] upload-archive security issues Jeff King
2011-11-15 21:43 ` [PATCH 1/2] archive: don't allow negation of --remote-request Jeff King
2011-11-15 21:48 ` [PATCH 2/2] archive: limit ourselves during remote requests Jeff King
2011-11-16 0:03 ` Junio C Hamano
2011-11-15 22:01 ` [PATCH 0/2] upload-archive security issues Erik Faye-Lund
2011-11-15 22:23 ` Jeff King [this message]
2011-11-15 23:40 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111115222320.GA28646@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=kusmabite@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).