init: Avoid autoenabling special remotes that have control characters in their names
I'm on the fence about this. Notice that pulling from a git remote can pull branches that have escape sequences in their names. Git will display those as-is. Arguably git should try harder to avoid that. But, names of remotes are usually up to the local user, and autoenable changes that, and so it makes sense that git chooses to display control characters in names of remotes, and so autoenable needs to guard against it. Sponsored-by: Graham Spencer on Patreon
This commit is contained in:
parent
de68e3dd4f
commit
c50aa21d5f
3 changed files with 16 additions and 5 deletions
|
@ -23,6 +23,7 @@ import Logs.Remote
|
|||
import Logs.Trust
|
||||
import qualified Types.Remote as Remote
|
||||
import Git.Types (RemoteName)
|
||||
import Utility.SafeOutput
|
||||
|
||||
import qualified Data.Map as M
|
||||
|
||||
|
@ -95,7 +96,12 @@ autoEnable = do
|
|||
Just (Sameas u') -> u'
|
||||
Nothing -> cu
|
||||
case (lookupName c, findType c) of
|
||||
(Just name, Right t) -> do
|
||||
-- Avoid auto-enabling when the name contains a
|
||||
-- control character, because git does not avoid
|
||||
-- displaying control characters in the name of a
|
||||
-- remote, and an attacker could leverage
|
||||
-- autoenabling it as part of an attack.
|
||||
(Just name, Right t) | safeOutput name == name -> do
|
||||
showSideAction $ UnquotedString $ "Auto enabling special remote " ++ name
|
||||
dummycfg <- liftIO dummyRemoteGitConfig
|
||||
tryNonAsync (setup t (AutoEnable c) (Just u) Nothing c dummycfg) >>= \case
|
||||
|
|
10
CHANGELOG
10
CHANGELOG
|
@ -1,17 +1,19 @@
|
|||
git-annex (10.20230408) UNRELEASED; urgency=medium
|
||||
|
||||
* Many commands now quotes filenames that contain unusual characters the
|
||||
* Many commands now quote filenames that contain unusual characters the
|
||||
same way that git does, to avoid exposing control characters to the terminal.
|
||||
* Support core.quotePath, which can be set to false to display utf8
|
||||
characters as-is in filenames.
|
||||
* Control characters in information coming from the repository or other
|
||||
possible untrusted sources are filtered out of the display of many
|
||||
* Control characters in non-filename data coming from the repository or
|
||||
other possible untrusted sources are filtered out of the display of many
|
||||
commands.
|
||||
* find, findkeys, examinekey: When outputting to a terminal and --format
|
||||
is not used, quote unusual characters.
|
||||
is not used, quote unusual characters.
|
||||
(Similar to the behavior of GNU find.)
|
||||
* addurl --preserve-filename now rejects filenames that contain other
|
||||
control characters, besides the escape sequences it already rejected.
|
||||
* init: Avoid autoenabling special remotes that have control characters
|
||||
in their names.
|
||||
|
||||
-- Joey Hess <id@joeyh.name> Sat, 08 Apr 2023 13:57:18 -0400
|
||||
|
||||
|
|
|
@ -52,6 +52,9 @@ that, when outputting to a terminal?
|
|||
Also: git-annex initremote with autoenable may be able to cause a remote
|
||||
with a malicious name to be set up?
|
||||
|
||||
> Fixed this by silently skipping autoenable, which seems fine since only
|
||||
> an attacker would ever try this.
|
||||
|
||||
Also: Any place that an exception is thrown with an attacker-controlled value.
|
||||
`giveup` has been made to filter out control characters, but that leaves
|
||||
other exceptions, including ones thrown by libraries. Catch all exceptions
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue