From: Johannes Sixt <j6t@kdbg•org>
To: Erik Faye-Lund <kusmabite@gmail•com>
Cc: git@vger•kernel.org, gitster@pobox•com,
johannes.schindelin@gmx•de, Theo Niessink <theo@taletn•com>
Subject: Re: [PATCH 3/3] verify_path: consider dos drive prefix
Date: Fri, 27 May 2011 20:58:59 +0200 [thread overview]
Message-ID: <4DDFF473.7030104@kdbg.org> (raw)
In-Reply-To: <1306512040-1468-4-git-send-email-kusmabite@gmail.com>
Am 27.05.2011 18:00, schrieb Erik Faye-Lund:
> If someone manage to create a repo with a 'C:' entry in the
> root-tree, files can be written outside of the working-dir. This
> opens up a can-of-worms of exploits.
>
> Fix it by explicitly checking for a dos drive prefix when verifying
> a paht. While we're at it, make sure that paths beginning with '\' is
> considered absolute as well.
I think we do agree that the only way to avoid the security breach is to
check a path before it is used to write a file. In practice, it means to
disallow paths in the top-most level of the index that are two
characters long and are letter-colon.
IMHO, it is pointless to avoid that an evil path enters the repository,
because there are so many and a few more ways to create an evil repository.
> diff --git a/read-cache.c b/read-cache.c
> index f38471c..68faa51 100644
> --- a/read-cache.c
> +++ b/read-cache.c
> @@ -753,11 +753,14 @@ int verify_path(const char *path)
> {
> char c;
>
> + if (has_dos_drive_prefix(path))
> + return 0;
> +
Isn't verify_path used to avoid that a bogus path enters the index? (I
don't know, I'm not familiar with this infrastructure.)
> goto inside;
> for (;;) {
> if (!c)
> return 1;
> - if (c == '/') {
> + if (is_dir_sep(c)) {
> inside:
And if so, at this point, all backslashes should have been converted to
forward-slashes already. If not, then this would just paper over the
real bug.
> c = *path++;
> switch (c) {
-- Hannes
next prev parent reply other threads:[~2011-05-27 18:59 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-27 16:00 [PATCH maint 0/3] do not write files outside of work-dir Erik Faye-Lund
2011-05-27 16:00 ` [PATCH 1/3] A Windows path starting with a backslash is absolute Erik Faye-Lund
2011-05-27 16:00 ` [PATCH 2/3] real_path: do not assume '/' is the path seperator Erik Faye-Lund
2011-05-27 16:00 ` [PATCH 3/3] verify_path: consider dos drive prefix Erik Faye-Lund
2011-05-27 18:58 ` Johannes Sixt [this message]
2011-05-30 9:32 ` Erik Faye-Lund
2011-05-30 10:58 ` Theo Niessink
2011-05-30 11:17 ` Erik Faye-Lund
2011-06-07 3:46 ` Junio C Hamano
2011-06-07 10:07 ` Erik Faye-Lund
2011-06-07 19:09 ` Erik Faye-Lund
2011-06-07 19:22 ` Junio C Hamano
2011-06-07 19:32 ` Erik Faye-Lund
2011-06-07 11:46 ` Theo Niessink
2011-05-30 20:23 ` Johannes Sixt
2011-05-27 17:57 ` [PATCH maint 0/3] do not write files outside of work-dir Junio C Hamano
2011-05-27 18:09 ` Johannes Schindelin
2011-05-27 19:16 ` Junio C Hamano
2011-06-01 4:14 ` Tait
2011-06-01 6:31 ` Johannes Sixt
-- strict thread matches above, loose matches on Subject: below --
2011-06-08 9:55 [PATCH 3/3] verify_path: consider dos drive prefix Theo Niessink
2011-06-08 10:45 ` Erik Faye-Lund
2011-06-08 12:04 ` Theo Niessink
2011-06-08 12:15 ` Erik Faye-Lund
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDFF473.7030104@kdbg.org \
--to=j6t@kdbg$(echo .)org \
--cc=git@vger$(echo .)kernel.org \
--cc=gitster@pobox$(echo .)com \
--cc=johannes.schindelin@gmx$(echo .)de \
--cc=kusmabite@gmail$(echo .)com \
--cc=theo@taletn$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox