Welcome to mirror list, hosted at ThFree Co, Russian Federation.

git.kernel.org/pub/scm/git/git.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTaylor Blau <me@ttaylorr.com>2022-07-29 22:22:13 +0300
committerTaylor Blau <me@ttaylorr.com>2022-10-01 07:23:38 +0300
commita1d4f67c12ac172f835e6d5e4e0a197075e2146b (patch)
treee2cca7e4b66b8437356b37f6f431f2a94fa365eb /transport.c
parentf4a32a550f9d40471fb42ed1e5c8612dfe4a83b1 (diff)
transport: make `protocol.file.allow` be "user" by default
An earlier patch discussed and fixed a scenario where Git could be used as a vector to exfiltrate sensitive data through a Docker container when a potential victim clones a suspicious repository with local submodules that contain symlinks. That security hole has since been plugged, but a similar one still exists. Instead of convincing a would-be victim to clone an embedded submodule via the "file" protocol, an attacker could convince an individual to clone a repository that has a submodule pointing to a valid path on the victim's filesystem. For example, if an individual (with username "foo") has their home directory ("/home/foo") stored as a Git repository, then an attacker could exfiltrate data by convincing a victim to clone a malicious repository containing a submodule pointing at "/home/foo/.git" with `--recurse-submodules`. Doing so would expose any sensitive contents in stored in "/home/foo" tracked in Git. For systems (such as Docker) that consider everything outside of the immediate top-level working directory containing a Dockerfile as inaccessible to the container (with the exception of volume mounts, and so on), this is a violation of trust by exposing unexpected contents in the working copy. To mitigate the likelihood of this kind of attack, adjust the "file://" protocol's default policy to be "user" to prevent commands that execute without user input (including recursive submodule initialization) from taking place by default. Suggested-by: Jeff King <peff@peff.net> Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to 'transport.c')
-rw-r--r--transport.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/transport.c b/transport.c
index 679a35e7c1..d2e3a90de1 100644
--- a/transport.c
+++ b/transport.c
@@ -964,8 +964,7 @@ static enum protocol_allow_config get_protocol_config(const char *type)
if (!strcmp(type, "http") ||
!strcmp(type, "https") ||
!strcmp(type, "git") ||
- !strcmp(type, "ssh") ||
- !strcmp(type, "file"))
+ !strcmp(type, "ssh"))
return PROTOCOL_ALLOW_ALWAYS;
/* known scary; err on the side of caution */