From: Joey Hess <joeyh@joeyh.name>
To: git@vger.kernel.org
Cc: Joey Hess <joeyh@joeyh.name>
Subject: [PATCH] avoid insecure use of mail in man page example
Date: Tue, 28 Sep 2021 08:16:48 -0400 [thread overview]
Message-ID: <20210928121648.1390915-1-joeyh@joeyh.name> (raw)
As recently seen in fail2ban's security hole (CVE-2021-32749),
piping user controlled input to mail is exploitable,
since a line starting with "~! foo" in the input will run command foo.
This example on the man page pipes to mail. It may not be exploitable.
git rev-list --pretty indents commit messages, which prevents the escape
sequence working there. It's less clear if it might be possible to embed
the escape sequence in a signed push certificate. The user reading the
man page might alter the example to do something more exploitable.
To encourage safe use of mail, add -E 'set escape'
Signed-off-by: Joey Hess <joeyh@joeyh.name>
---
Documentation/git-receive-pack.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index 014a78409b..cdaae75365 100644
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -183,7 +183,7 @@ do
echo "New commits:"
git rev-list --pretty "$nval" "^$oval"
fi |
- mail -s "Changes to ref $ref" commit-list@mydomain
+ mail -E 'set escape' -s "Changes to ref $ref" commit-list@mydomain
done
# log signed push certificate, if any
if test -n "${GIT_PUSH_CERT-}" && test ${GIT_PUSH_CERT_STATUS} = G
@@ -191,7 +191,7 @@ then
(
echo expected nonce is ${GIT_PUSH_NONCE}
git cat-file blob ${GIT_PUSH_CERT}
- ) | mail -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain
+ ) | mail -E 'set escape' -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain
fi
exit 0
----
--
2.33.0
next reply other threads:[~2021-09-28 12:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-28 12:16 Joey Hess [this message]
2021-09-28 18:46 ` [PATCH] avoid insecure use of mail in man page example Jeff King
2021-09-28 23:46 ` Junio C Hamano
2021-09-29 0:26 ` Jeff King
2021-10-18 0:55 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210928121648.1390915-1-joeyh@joeyh.name \
--to=joeyh@joeyh.name \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).