* Paul Wise <[email protected]>, 2018-02-09, 09:56:
Users might need to re-enable git-remote-ext for their own purposes,
so this needs to be fixed in webcheckout.
How would you suggest doing that?
* Blacklist ext::
* Whitelist good remote protocols
For Git (>= 2.12), you can set GIT_PROTOCOL_FROM_USER=0 in environment.
Quoting git(1): "this is useful [...] for programs which feed
potentially-untrusted URLS to git commands".
If you want to support older versions of Git, I guess you should mimic
what GIT_PROTOCOL_FROM_USER=0 does by default, i.e. whitelist known-good
protocols.
How should it handle the bad remotes?
I think printing the whole suspicious URL would make sense.
webcheckout is also susceptible to option injection, but I couldn't
find a way to exploit it for anything nefarious.
I made a patch for that locally, but I wanted the commit to link to the
canonical document about option injection but I cannot find a link.
IIRC it includes how to get RCE with tar/cpio/etc option injection. Do
you remember where that can be found?
I haven't heard about it.
--
Jakub Wilk