summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar achilleas.k@14be77d42a1252fab5ec9dbf4e5ea03c5833e8c8 <achilleask@web>2017-04-26 16:34:56 +0000
committerGravatar admin <admin@branchable.com>2017-04-26 16:34:56 +0000
commiteec394aa74e7a5baa1e677976a0331a6532bf7aa (patch)
treefd61147174841530ebe4391c8ca9edbd92dfd991
parentef6a2807e9b1ac5c4650560f4a9f702b67b4dcc2 (diff)
-rw-r--r--doc/forum/Malicious_autoenabled_remotes.mdwn5
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/forum/Malicious_autoenabled_remotes.mdwn b/doc/forum/Malicious_autoenabled_remotes.mdwn
new file mode 100644
index 000000000..274d5c215
--- /dev/null
+++ b/doc/forum/Malicious_autoenabled_remotes.mdwn
@@ -0,0 +1,5 @@
+I've been trying to figure out whether git-annex can be used to make a user unknowingly download data from a malicious source. The general question here is, assuming a git/git-annex server that I can fully trust to be safe and secure (let's call it `trustedserver`):
+
+*Is it possible, when performing (for example) `git clone git@trustedserver:user/repo && cd repo && git annex init` for annex to set up and enable a remote that is **not** on `trustedserver`?*
+
+I'm trying to imagine a scenario where someone with access to the repository (a person who I share files with) can set up a remote to a different server (e.g., `badremote`), set it to `autoenable=true`, and sync changes. Would this enable the other user to put files on `badremote` that are not on `trustedserver` but are tracked by annex? More importantly, if this happens and I perform a `git clone` -> `git annex init` -> `git annex sync --content`, would I be downloading files from `badremote` without specifically enabling it?