On Thu, 2018-02-08 at 21:44 +0100, Jakub Wilk wrote:

> It's hard to tell whether they agree, because disabling git-remote-ext 
> by default is not documented AFAICT. See bug #867699.

Thanks for the pointer.

> Users might need to re-enable git-remote-ext for their own purposes, so 
> this needs to be fixed in webcheckout.

How would you suggest doing that?

 * Blacklist ext::
 * Whitelist good remote protocols

How should it handle the bad remotes?

* Fail with "potentially unsafe git remote"
* Fail with "potentially unsafe git URL, may execute code: ext::*"
* Fail with "potentially unsafe git URL, may execute code:
             git clone ext::*"

> webcheckout is also susceptible to option injection, but I couldn't find 
> a way to exploit it for anything nefarious.

I made a patch for that locally, but I wanted the commit to link to the
canonical document about option injection but I cannot find a link.
IIRC it includes how to get RCE with tar/cpio/etc option injection.
Do you remember where that can be found?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to