diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2017-02-24 11:17:07 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2017-02-24 11:22:15 -0400 |
| commit | 52249bd6c6c27df089969e956d9952b1a432ca45 (patch) | |
| tree | 83c4df66d20abf6929b6face397e21906e02c341 /CHANGELOG | |
| parent | 845cce262c5f593e00e5cc5ebd7619595d848f36 (diff) | |
make file2key reject E* backend keys with a long extension
I am not happy that I had to put backend-specific code in file2key. But
it would be very difficult to avoid this layering violation.
Most of the time, when parsing a Key from a symlink target, git-annex
never looks up its Backend at all, so adding this check to a method of
the Backend object would not work.
The Key could be made to contain the appropriate
Backend, but since Backend is parameterized on an "a" that is fixed to
the Annex monad later, that would need Key to change to "Key a".
The only way to clean this up that I can see would be to have the Key
contain a LowlevelBackend, and put the validation in LowlevelBackend.
Perhaps later, but that would be an extensive change, so let's not do
it in this commit which may want to cherry-pick to backports.
This commit was sponsored by Ethan Aubin.
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -33,9 +33,10 @@ git-annex (6.20170215) UNRELEASED; urgency=medium to wget, since curl is able to display only errors to stderr, unlike wget. * status: Pass --ignore-submodules=when option on to git status. - * Tighten key parser to not accept keys containing non-numeric - fields, which could be used to embed data useful for a SHA1 - attack against git. + * Tighten key parser to mitigate against hypothetical SHA1 preimage + attacks. This ensures that signed git commits of annexed files + will remain secure, even against the worst possible future SHA1 + attacks, as long as git-annex is using a secure hashing backend. -- Joey Hess <id@joeyh.name> Tue, 14 Feb 2017 15:54:25 -0400 |