summaryrefslogtreecommitdiff
path: root/Git/Ssh.hs
Commit message (Collapse)AuthorAge
* avoid the dashed ssh hostname class of security holesGravatar Joey Hess2017-08-17
| | | | | | | | | | | | | | | | | | | | | | | | Security fix: Disallow hostname starting with a dash, which would get passed to ssh and be treated an option. This could be used by an attacker who provides a crafted ssh url (for eg a git remote) to execute arbitrary code via ssh -oProxyCommand. No CVE has yet been assigned for this hole. The same class of security hole recently affected git itself, CVE-2017-1000117. Method: Identified all places where ssh is run, by git grep '"ssh"' Converted them all to use a SshHost, if they did not already, for specifying the hostname. SshHost was made a data type with a smart constructor, which rejects hostnames starting with '-'. Note that git-annex already contains extensive use of Utility.SafeCommand, which fixes a similar class of problem where a filename starting with a dash gets passed to a program which treats it as an option. This commit was sponsored by Jochen Bartl on Patreon.
* fix GIT_SSH_COMMAND -n parameterGravatar Joey Hess2017-03-20
| | | | | | | | | It was being passed to sh, not to the command, oops. Noticed because it broke the test suite on OSX, where sh -n silently does nothing. Would also break on Linux when eg posh was being used as the shell; bash ignores the -n. This commit was supported by the NSF-funded DataLad project.
* super tricky shell command generation hackGravatar Joey Hess2017-03-17
| | | | | | | | | | GIT_SSH_COMMAND was not working correctly with git-annex get, because when used in rsync -e, there were additional parameters appended at the end, which the GIT_SSH_COMMAND should not see. Fixed by constructing the shell command differently. This commit was supported by the NSF-funded DataLad project.
* fix over-shell-escapeGravatar Joey Hess2017-03-17
| | | | Seems I had one time too many.
* Support GIT_SSH and GIT_SSH_COMMANDGravatar Joey Hess2017-03-17
They are handled close the same as they are by git. However, unlike git, git-annex sometimes needs to pass the -n parameter when using these. So, this has the potential for breaking some setup, and perhaps there ought to be a ANNEX_USE_GIT_SSH=1 needed to use these. But I'd rather avoid that if possible, so let's see if anyone complains. Almost all places where "ssh" was run have been changed to support the env vars. Anything still calling sshOptions does not support them. In particular, rsync special remotes don't. Seems that annex-rsync-transport already gives sufficient control there. (Fixed in passing: Remote.Helper.Ssh.toRepo used to extract remoteAnnexSshOptions and pass them to sshOptions, which was redundant since sshOptions also extracts those.) This commit was sponsored by Jeff Goeke-Smith on Patreon.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-19 20:38:36 +0000