From: Jeff King <peff@peff.net>
To: Sebastian Kisela <skisela@redhat.com>,
git@vger.kernel.org, nico@fluxnic.net, larsxschneider@gmail.com,
lfleischer@lfos.de
Subject: Re: [PATCH] Sanitize escape char sequences coming from server
Date: Thu, 21 Jun 2018 14:51:11 -0400 [thread overview]
Message-ID: <20180621185111.GA1046@sigill.intra.peff.net> (raw)
In-Reply-To: <20180621180942.GA32506@redhat.com>
On Thu, Jun 21, 2018 at 08:09:43PM +0200, Pavel Cahyna wrote:
> > > + int len = mbstowcs(wcstring, outbuf->buf, outbuf->len);
> >
> > I don't think mbstowcs() is always going to do the right thing there.
> > We're looking at a string that was sent from the remote server. What
> > encoding is it in? Using mbstowcs() is going to use whatever is in
> > LC_CTYPE on the local machine.
>
> Exactly. The point is, everything should continue to work if the local
> machine and the server agreed on the encoding. Imagine a
> non-English-speaking site where the administrators configured the Git
> server to output non-ASCII messages and the clients are configured with
> a matching locale which allows the users to see them. We should ensure
> everything keeps working in this case.
What if they don't agree on the encoding? Right now you might get some
mojibake. After this patch, we'd return an error.
I thought at first we'd stop showing the message, which would be a
regression. But looking at the caller, it does not actually break on
seeing the error. Which means that the whole sanitizing process can be
skipped simply by the attacker including a bogus multibyte sequence.
> > Using isprint() here probably doesn't do what you expect, because Git
> > uses its own locale-agnostic ctype replacements. I didn't check, but I
> > suspect any non-ascii characters will be marked as non-printable, making
> > the whole wchar thing pointless.
>
> isw*() was probably intended instead of is*()
Yes, we don't override the isw* functions, so that would work (I still
think that assuming the server messages are in our local charset is
somewhat questionable).
> > > +
> > > + if (sanitize_server_message(&outbuf))
> > > + retval = SIDEBAND_REMOTE_ERROR;
> >
> > "outbuf" may contain partially-received lines at various points, meaning
> > multi-byte characters could be cut off. I _think_ it's OK to look at it
> > here, as we'd always be breaking on a "\r" or "\n" at this point.
>
> Maybe sanitize_server_message should return a mbstate_t to keep state
> between invocations?
I think this site is OK because of the CR/LF breaking. For the "final"
one where it's not OK, there's no point in keeping state since we know
we hit EOF already.
-Peff
prev parent reply other threads:[~2018-06-21 18:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-21 12:10 [PATCH] Sanitize escape char sequences coming from server Sebastian Kisela
2018-06-21 17:41 ` Jeff King
2018-06-21 18:09 ` Pavel Cahyna
2018-06-21 18:51 ` Jeff King [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180621185111.GA1046@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=larsxschneider@gmail.com \
--cc=lfleischer@lfos.de \
--cc=nico@fluxnic.net \
--cc=skisela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).