git-annex-shell: block relay requests
connRepo is only used when relaying git upload-pack and receive-pack. That's only supposed to be used when git-annex-remotedaemon is serving git-remote-tor-annex connections over tor. But, it was always set, and so could be used in other places possibly. Fixed by making connRepo optional in the P2P protocol interface. In Command.EnableTor, it's not needed, because it only speaks the protocol in order to check that it's able to connect back to itself via the hidden service. So changed that to pass Nothing rather than the git repo. In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio, so is making the requests, so will never need connRepo. In git-annex-shell p2pstdio, it was accepting git upload-pack and receive-pack requests over the P2P protocol, even though nothing sent them. This is arguably a security hole, particularly if the user has set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent git push/pull via git-annex-shell.
This commit is contained in:
parent
783eb8879a
commit
9a8391078a
8 changed files with 26 additions and 27 deletions
|
@ -105,11 +105,10 @@ checkHiddenService = bracket setup cleanup go
|
|||
|
||||
check 0 _ = giveup "Still unable to connect to hidden service. It might not yet be usable by others. Please check Tor's logs for details."
|
||||
check _ [] = giveup "Somehow didn't get an onion address."
|
||||
check n addrs@(addr:_) = do
|
||||
g <- Annex.gitRepo
|
||||
check n addrs@(addr:_) =
|
||||
-- Connect but don't bother trying to auth,
|
||||
-- we just want to know if the tor circuit works.
|
||||
liftIO (tryNonAsync $ connectPeer g addr) >>= \case
|
||||
liftIO (tryNonAsync $ connectPeer Nothing addr) >>= \case
|
||||
Left e -> do
|
||||
warning $ UnquotedString $ "Unable to connect to hidden service. It may not yet have propagated to the Tor network. (" ++ show e ++ ") Will retry.."
|
||||
liftIO $ threadDelaySeconds (Seconds 2)
|
||||
|
@ -123,19 +122,18 @@ checkHiddenService = bracket setup cleanup go
|
|||
-- service's socket, start a listener. This is only run during the
|
||||
-- check, and it refuses all auth attempts.
|
||||
startlistener = do
|
||||
r <- Annex.gitRepo
|
||||
u <- getUUID
|
||||
msock <- torSocketFile
|
||||
case msock of
|
||||
Just sockfile -> ifM (liftIO $ haslistener sockfile)
|
||||
( liftIO $ async $ return ()
|
||||
, liftIO $ async $ runlistener sockfile u r
|
||||
, liftIO $ async $ runlistener sockfile u
|
||||
)
|
||||
Nothing -> giveup "Could not find socket file in Tor configuration!"
|
||||
|
||||
runlistener sockfile u r = serveUnixSocket sockfile $ \h -> do
|
||||
runlistener sockfile u = serveUnixSocket sockfile $ \h -> do
|
||||
let conn = P2PConnection
|
||||
{ connRepo = r
|
||||
{ connRepo = Nothing
|
||||
, connCheckAuth = const False
|
||||
, connIhdl = h
|
||||
, connOhdl = h
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue