security: disabling "../" everywhere
17 views
Skip to first unread message
Sitaram Chamarty
Nov 9, 2014, 10:39:05 PM11/9/14
to Gitolite Google Groups, gitolite...@googlegroups.com
Hi,
Someone pointed me to an issue with symbolic-ref, and I not only did not
do anything about it, but I even lost the original email. (Whoever you
are, if you're on this list please speak up. And thank you!) I only
remembered because I found a note to myself to "fix symbolic-ref". Not
being able to find the email means this is not recent either :(
The issue is that the symbolic-ref command is vulnerable to path
traversal.
Luckily it's not enabled by default. It's not even left in as a
commented out entry in the rc file, so you have to manually add it.
This means most sites should NOT be affected.
On the other hand, this would be the third or fourth path traversal
issue in gitolite over the years, and I'm getting tired of it. When
there are so many "commands", something will slip, and there may be more
in future. More importantly, even commands *you* write for your own use
on your own site may have this issue.
Therefore, I am now banning "../" everywhere by default.
As of now (v3.6.2, pushed just now), all commands -- those shipped with
gitolite as well as your own -- are automatically protected from path
traversal issues.
Any commands that need this must be declared in the rc file (within the
ENABLE list) like this:
'my-command ua',
instead of
'my-command',
at which point ALL argument sanitisation -- not just "../" but
everything else that can be misused -- becomes the command's
responsibility. "ua" stands for "unrestricted arguments".
The only shipped command that requires this at present is
"git-annex-shell", which is actually a very special case.
regards
sitaram
Someone pointed me to an issue with symbolic-ref, and I not only did not
do anything about it, but I even lost the original email. (Whoever you
are, if you're on this list please speak up. And thank you!) I only
remembered because I found a note to myself to "fix symbolic-ref". Not
being able to find the email means this is not recent either :(
The issue is that the symbolic-ref command is vulnerable to path
traversal.
Luckily it's not enabled by default. It's not even left in as a
commented out entry in the rc file, so you have to manually add it.
This means most sites should NOT be affected.
On the other hand, this would be the third or fourth path traversal
issue in gitolite over the years, and I'm getting tired of it. When
there are so many "commands", something will slip, and there may be more
in future. More importantly, even commands *you* write for your own use
on your own site may have this issue.
Therefore, I am now banning "../" everywhere by default.
As of now (v3.6.2, pushed just now), all commands -- those shipped with
gitolite as well as your own -- are automatically protected from path
traversal issues.
Any commands that need this must be declared in the rc file (within the
ENABLE list) like this:
'my-command ua',
instead of
'my-command',
at which point ALL argument sanitisation -- not just "../" but
everything else that can be misused -- becomes the command's
responsibility. "ua" stands for "unrestricted arguments".
The only shipped command that requires this at present is
"git-annex-shell", which is actually a very special case.
regards
sitaram
Reply all
Reply to author
Forward
0 new messages