On Sun, 2018-02-11 at 22:04 +0800, Paul Wise wrote:

> I think I will check the git version and apply the manual
> whitelisting only for versions of git older than 2.12.

Attached my proposed patch for the git issue.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
From 014f4dae7859e9121b3bd96dd7fd7a7d4a62ac6a Mon Sep 17 00:00:00 2001
From: Paul Wise <[email protected]>
Date: Sun, 11 Feb 2018 21:57:49 +0800
Subject: [PATCH] Mitigate vulnerabilities caused by some git remotes being
 able to execute code

Set GIT_PROTOCOL_FROM_USER=0 with git versions newer than 2.12.

Manually whitelist known-safe protocols (http, https, git, ssh, file)
when using git versions older than 2.12.
---
 webcheckout | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/webcheckout b/webcheckout
index c817605..1b59c75 100755
--- a/webcheckout
+++ b/webcheckout
@@ -71,6 +71,16 @@ use Getopt::Long;
 use warnings;
 use strict;
 
+# Mitigate some git remote types being dangerous
+my $git_unsafe = 1;
+my $git_version = `git --version`;
+$git_version =~ s/^git version //;
+my ($major, $minor, undef) = split(/\./, $git_version);
+if (int($major) >= 2 && int($minor) >= 12) {
+	$ENV{GIT_PROTOCOL_FROM_USER} = 0;
+	$git_unsafe = 0;
+}
+
 # What to download.
 my $url;
 
@@ -89,7 +99,16 @@ my $destdir;
 
 # how to perform checkouts
 my %handlers=(
-	git => sub { doit(qw(git clone --), shift, $destdir) },
+	git => sub {
+		my $git_url = shift;
+		# Reject unsafe URLs with older versions of git
+		# that do not already check the URL safety.
+		if ($git_unsafe && $git_url !~ /^(?:https?|git|ssh|file):[^:]/) {
+			print STDERR "potentially unsafe git URL, may execute arbitrary code\n";
+			return 1;
+		}
+		doit(qw(git clone --), $git_url, $destdir)
+	},
 	svn => sub { doit(qw(svn checkout --), shift, $destdir) },
 	bzr => sub { doit(qw(bzr branch --), shift, $destdir) },
 );
-- 
2.15.1

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to