mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

close off newline injection attacks against compute special remote protocol

Browse source
This commit is contained in:
Joey Hess 2025-03-11 12:04:58 -04:00
parent 73a8ba5307
commit 0ee644b417
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
2 changed files with 18 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
doc/todo/compute_special_remote_remaining_todos.mdwn
View file

@ -1,10 +1,6 @@
This is the remainder of my todo list while I was building the
compute special remote. --[[Joey]]
* prohibit using compute states where an input or output filename contains
a newline. The protocol doesn't allow this to happen usually, but an
attacker might try it in order to scramble the protocol.
* git-annex responds to each INPUT immediately, and flushes stdout.
This could cause problems if the program is sending several INPUT
first, before reading responses, as is documented it should do to allow