From: Taylor Blau <me@ttaylorr.com>
To: git@vger.kernel.org
Cc: Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>,
Matthew John Cheetham <mjcheetham@outlook.com>,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Derrick Stolee <derrickstolee@github.com>
Subject: [PATCH 0/7] contrib/credential: avoid protocol injection attacks
Date: Mon, 1 May 2023 11:53:44 -0400 [thread overview]
Message-ID: <cover.1682956419.git.me@ttaylorr.com> (raw)
This series addresses a handful of potential protocol injection attacks
possible via some of the credential helpers in contrib/credential, and
the new "wwwauth[]" directive.
The attack is described in complete detail in 2/7, but roughly boils
down to using a long line to incur multiple fgets() calls which can
treat data in the middle of the line as if it appeared at the beginning.
Luckily, all protocol fields part of tagged versions of Git are immune
from this attack. Briefly:
- "protocol" is restricted to known values
- "host" is immune because curl will reject hostnames that have a '='
character in them, which would be required to carry out this attack.
- "username", and "path" are immune, because the buffer characters to
fill out the first `fgets()` call would pollute the
`username`/`path` field, causing the credential helper to return
nothing
- "password" is immune because providing a password instructs
credential helpers to avoid filling credentials in the first place.
But the new "wwwauth[]" field does allow this attack to take place.
Since these credential helpers are tested via t0303 (which requires some
extensive set-up), we opted not to make these fixes during the last
embargo period, and instead do them before the "wwwauth[]" feature
becomes part of a tagged version.
With the additional time, we have been able to verify that the affected
credential helpers which are modified in this series all fail the new
test before their patches, and pass afterwords. Thanks to Peff for
looking at libsecret, Matthew Cheetham for looking at wincred. I looked
at osxkeychain.
Taylor Blau (7):
credential.c: store "wwwauth[]" values in `credential_read()`
t/lib-credential.sh: ensure credential helpers handle long headers
contrib/credential: avoid fixed-size buffer in osxkeychain
contrib/credential: remove 'gnome-keyring' credential helper
contrib/credential: .gitignore libsecret build artifacts
contrib/credential: avoid fixed-size buffer in libsecret
contrib/credential: embiggen fixed-size buffer in wincred
contrib/credential/gnome-keyring/.gitignore | 1 -
contrib/credential/gnome-keyring/Makefile | 25 -
.../git-credential-gnome-keyring.c | 470 ------------------
contrib/credential/libsecret/.gitignore | 1 +
.../libsecret/git-credential-libsecret.c | 15 +-
.../osxkeychain/git-credential-osxkeychain.c | 10 +-
.../wincred/git-credential-wincred.c | 21 +-
credential.c | 2 +
t/lib-credential.sh | 29 ++
9 files changed, 63 insertions(+), 511 deletions(-)
delete mode 100644 contrib/credential/gnome-keyring/.gitignore
delete mode 100644 contrib/credential/gnome-keyring/Makefile
delete mode 100644 contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
create mode 100644 contrib/credential/libsecret/.gitignore
--
2.40.1.452.gb3cd41c833
next reply other threads:[~2023-05-01 15:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-01 15:53 Taylor Blau [this message]
2023-05-01 15:53 ` [PATCH 1/7] credential.c: store "wwwauth[]" values in `credential_read()` Taylor Blau
2023-05-01 15:53 ` [PATCH 2/7] t/lib-credential.sh: ensure credential helpers handle long headers Taylor Blau
2023-05-01 15:53 ` [PATCH 3/7] contrib/credential: avoid fixed-size buffer in osxkeychain Taylor Blau
2023-05-01 15:53 ` [PATCH 4/7] contrib/credential: remove 'gnome-keyring' credential helper Taylor Blau
2023-05-01 15:54 ` [PATCH 5/7] contrib/credential: .gitignore libsecret build artifacts Taylor Blau
2023-05-01 15:54 ` [PATCH 6/7] contrib/credential: avoid fixed-size buffer in libsecret Taylor Blau
2023-05-01 15:54 ` [PATCH 7/7] contrib/credential: embiggen fixed-size buffer in wincred Taylor Blau
2023-05-05 15:24 ` [PATCH 0/7] contrib/credential: avoid protocol injection attacks Derrick Stolee
2023-05-05 17:46 ` Taylor Blau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1682956419.git.me@ttaylorr.com \
--to=me@ttaylorr.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=derrickstolee@github.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mjcheetham@outlook.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).