diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2017-08-17 22:11:31 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2017-08-17 22:11:31 -0400 |
| commit | c1aec2ae837c24b602c7a0ca3fc7b0fcad565758 (patch) | |
| tree | 6ce58560d65d4a3a6529569cfdde4c80b6b5e5bf /git-annex.cabal | |
| parent | d998fce1481a4bc7779e21cb2ff6a0fa42d72c7a (diff) | |
avoid the dashed ssh hostname class of security holes
Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.
No CVE has yet been assigned for this hole.
The same class of security hole recently affected git itself,
CVE-2017-1000117.
Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.
SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.
Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.
This commit was sponsored by Jochen Bartl on Patreon.
Diffstat (limited to 'git-annex.cabal')
| -rw-r--r-- | git-annex.cabal | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/git-annex.cabal b/git-annex.cabal index a5a1294c1..4b7eadfb7 100644 --- a/git-annex.cabal +++ b/git-annex.cabal @@ -1055,6 +1055,7 @@ Executable git-annex Utility.SimpleProtocol Utility.Split Utility.SshConfig + Utility.SshHost Utility.Su Utility.SystemDirectory Utility.TList |