allow ftp urls by default
They're no worse than http certianly. And, the backport of these security fixes has to deal with wget, which supports http https and ftp and has no way to turn off individual schemes, so this will make that easier.
This commit is contained in:
parent
c93b6c1e08
commit
3c0a538335
5 changed files with 5 additions and 5 deletions
|
@ -1,7 +1,7 @@
|
||||||
git-annex (6.20180622) UNRELEASED; urgency=high
|
git-annex (6.20180622) UNRELEASED; urgency=high
|
||||||
|
|
||||||
* Added annex.security.allowed-url-schemes setting, which defaults
|
* Added annex.security.allowed-url-schemes setting, which defaults
|
||||||
to only allowing http and https URLs. Note especially that file:/
|
to only allowing http, https, and ftp URLs. Note especially that file:/
|
||||||
is no longer enabled by default. This is a security fix.
|
is no longer enabled by default. This is a security fix.
|
||||||
* Removed annex.web-download-command, since its interface does not allow
|
* Removed annex.web-download-command, since its interface does not allow
|
||||||
supporting annex.security.allowed-url-schemes across redirects.
|
supporting annex.security.allowed-url-schemes across redirects.
|
||||||
|
|
2
NEWS
2
NEWS
|
@ -1,6 +1,6 @@
|
||||||
git-annex (6.20180622) upstream; urgency=high
|
git-annex (6.20180622) upstream; urgency=high
|
||||||
|
|
||||||
A security fix has changed git-annex to only support http and https
|
A security fix has changed git-annex to only support http, https, and ftp
|
||||||
URL schemes by default. You can enable other URL schemes, at your own risk,
|
URL schemes by default. You can enable other URL schemes, at your own risk,
|
||||||
using annex.security.allowed-url-schemes.
|
using annex.security.allowed-url-schemes.
|
||||||
|
|
||||||
|
|
|
@ -162,7 +162,7 @@ extractGitConfig r = GitConfig
|
||||||
, annexRetryDelay = Seconds
|
, annexRetryDelay = Seconds
|
||||||
<$> getmayberead (annex "retrydelay")
|
<$> getmayberead (annex "retrydelay")
|
||||||
, annexAllowedUrlSchemes = S.fromList $ map mkScheme $
|
, annexAllowedUrlSchemes = S.fromList $ map mkScheme $
|
||||||
maybe ["http", "https"] words $
|
maybe ["http", "https", "ftp"] words $
|
||||||
getmaybe (annex "security.allowed-url-schemes")
|
getmaybe (annex "security.allowed-url-schemes")
|
||||||
, annexAllowedHttpAddresses = fromMaybe "" $
|
, annexAllowedHttpAddresses = fromMaybe "" $
|
||||||
getmaybe (annex "security.allowed-http-addresses")
|
getmaybe (annex "security.allowed-http-addresses")
|
||||||
|
|
|
@ -100,7 +100,7 @@ defUrlOptions = UrlOptions
|
||||||
<*> pure DownloadWithConduit
|
<*> pure DownloadWithConduit
|
||||||
<*> pure id
|
<*> pure id
|
||||||
<*> newManager managerSettings
|
<*> newManager managerSettings
|
||||||
<*> pure (S.fromList $ map mkScheme ["http", "https"])
|
<*> pure (S.fromList $ map mkScheme ["http", "https", "ftp"])
|
||||||
|
|
||||||
mkUrlOptions :: Maybe UserAgent -> Headers -> UrlDownloader -> Manager -> S.Set Scheme -> UrlOptions
|
mkUrlOptions :: Maybe UserAgent -> Headers -> UrlDownloader -> Manager -> S.Set Scheme -> UrlOptions
|
||||||
mkUrlOptions defuseragent reqheaders urldownloader manager =
|
mkUrlOptions defuseragent reqheaders urldownloader manager =
|
||||||
|
|
|
@ -1394,7 +1394,7 @@ Here are all the supported configuration settings.
|
||||||
* `annex.security.allowed-url-schemes`
|
* `annex.security.allowed-url-schemes`
|
||||||
|
|
||||||
List of URL schemes that git-annex is allowed to download content from.
|
List of URL schemes that git-annex is allowed to download content from.
|
||||||
The default is "http https".
|
The default is "http https ftp".
|
||||||
|
|
||||||
Think very carefully before changing this; there are security
|
Think very carefully before changing this; there are security
|
||||||
implications. For example, if it's changed to allow "file" URLs, then
|
implications. For example, if it's changed to allow "file" URLs, then
|
||||||
|
|
Loading…
Reference in a new issue