mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

devblog

Browse source
This commit is contained in:
Joey Hess 2018-06-18 14:25:55 -04:00
parent 71d39caf5c
commit c93b6c1e08
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
1 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
doc/devblog/day_502__security_hole_part_4.mdwn Normal file
View file

@ -0,0 +1,16 @@
Spent several hours dealing with the problem of http proxies, which
bypassed the IP address checks added to prevent the security hole.
Eventually got it filtering out http proxies located on private IP
addresses.
Other than the question of what to do about external special remotes
that may be vulerable to related problems, it looks like the security
hole is all closed off in git-annex now.
Added a new page [[security]] with details of this and past security holes
in git-annex.
Several people I reached out to for help with special remotes have gotten
back to me, and we're discussing how the security hole may affect them and
what to do. Thanks especially to Robie Basak and Daniel Dent for their
work on security analysis.