avoid the dashed ssh hostname class of security holes
Security fix: Disallow hostname starting with a dash, which would get passed to ssh and be treated an option. This could be used by an attacker who provides a crafted ssh url (for eg a git remote) to execute arbitrary code via ssh -oProxyCommand. No CVE has yet been assigned for this hole. The same class of security hole recently affected git itself, CVE-2017-1000117. Method: Identified all places where ssh is run, by git grep '"ssh"' Converted them all to use a SshHost, if they did not already, for specifying the hostname. SshHost was made a data type with a smart constructor, which rejects hostnames starting with '-'. Note that git-annex already contains extensive use of Utility.SafeCommand, which fixes a similar class of problem where a filename starting with a dash gets passed to a program which treats it as an option. This commit was sponsored by Jochen Bartl on Patreon.
This commit is contained in:
parent
25e55e7c2f
commit
df11e54788
12 changed files with 106 additions and 61 deletions
|
@ -48,6 +48,7 @@ import Utility.Rsync
|
|||
import Utility.Tmp
|
||||
import Logs.Remote
|
||||
import Utility.Gpg
|
||||
import Utility.SshHost
|
||||
|
||||
remote :: RemoteType
|
||||
remote = RemoteType {
|
||||
|
@ -158,8 +159,9 @@ rsyncTransport r gc
|
|||
let rsyncpath = if "/~/" `isPrefixOf` path
|
||||
then drop 3 path
|
||||
else path
|
||||
opts <- sshOptions ConsumeStdin (host, Nothing) gc []
|
||||
return (rsyncShell $ Param "ssh" : opts, host ++ ":" ++ rsyncpath, AccessShell)
|
||||
let sshhost = either error id (mkSshHost host)
|
||||
opts <- sshOptions ConsumeStdin (sshhost, Nothing) gc []
|
||||
return (rsyncShell $ Param "ssh" : opts, fromSshHost sshhost ++ ":" ++ rsyncpath, AccessShell)
|
||||
othertransport = return ([], loc, AccessDirect)
|
||||
|
||||
noCrypto :: Annex a
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue