From: LE Manh Cuong <cuong.manhle.vn@gmail.com>
To: gitster@pobox.com
Cc: git@vger.kernel.org, LE Manh Cuong <cuong.manhle.vn@gmail.com>
Subject: Re: [PATCH] git-sh-setup.sh: fix missing double quotes variables
Date: Sun, 19 Jun 2016 09:45:54 +0700 [thread overview]
Message-ID: <20160619024554.2983-1-cuong.manhle.vn@gmail.com> (raw)
In-Reply-To: <xmqqshwax8ah.fsf@gitster.mtv.corp.google.com>
> Given that LESS, LV and GIT_OBJECT_DIRECTORY are expected to be free
> of any "expensive to expand" strings, I am not sure if this actually
> matters, though. And more importantly, these are what the end users
> are expected to set to whatever sensible values for them.
The problem is the end users want a "string". In shell, it means you want
scalar context instead of list context, which is where the vulnerability
occured.
Using `$var` is actually `glob(split($var))`. While using
`"$var"` means the shell interpreted $var content as string. That's also
what you do with `test`, `[...]`, redirection `>"$file"` (which is mentioned
in Git conding contention).
That's a mistake usage to introduce that "bug" to the end user.
(I invite you to read the excelent question/answer about this problem
at http://unix.stackexchange.com/q/171346/38906)
> You would not be lying if you said that Git lets people who want to
> do strange things shoot their feet off; I do not think that hardly
> deserves to be called "vulnerability", though.
>
> Having said all that, I do not mind preventing people from shooting
> their foot off, and the change in this patch certainly would not
> hurt.
It's not only people shooting their foot, but also from malicious user.
Given that `curl url | sudo sh/bash` is often found in many instructions,
an end user may not be noticed about the environment variable injection
from their side.
IMHO, it's better if git can protect the end users in this situation.
next prev parent reply other threads:[~2016-06-19 2:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-18 19:37 [PATCH] git-sh-setup.sh: fix missing double quotes variables LE Manh Cuong
2016-06-18 20:12 ` LE Manh Cuong
2016-06-18 20:26 ` [PATCH] git-sh-setup.sh: fix missing double quotes variables LE Manh Cuong
2016-06-19 1:43 ` Junio C Hamano
2016-06-19 2:45 ` LE Manh Cuong [this message]
2016-06-19 3:16 ` Junio C Hamano
2016-06-19 11:31 ` LE Manh Cuong
2016-06-19 17:59 ` Junio C Hamano
2016-06-19 18:09 ` LE Manh Cuong
2016-06-19 21:06 ` Junio C Hamano
2016-06-19 21:18 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160619024554.2983-1-cuong.manhle.vn@gmail.com \
--to=cuong.manhle.vn@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).