git-annex/Annex
Joey Hess df11e54788
avoid the dashed ssh hostname class of security holes
Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.

No CVE has yet been assigned for this hole.
The same class of security hole recently affected git itself,
CVE-2017-1000117.

Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.

SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.

Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.

This commit was sponsored by Jochen Bartl on Patreon.
2017-08-17 22:11:31 -04:00
..
Branch Unneded constraint 2016-01-28 12:34:07 -04:00
Content Always use filesystem encoding for all file and handle reads and writes. 2016-12-24 14:46:31 -04:00
LockPool clarify 2016-03-01 16:22:47 -04:00
MetaData update my email address and homepage url 2015-01-21 12:50:09 -04:00
View remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Action.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
AdjustedBranch.hs configuration to disable automatic merge conflict resolution 2017-06-01 12:51:01 -04:00
AutoMerge.hs configuration to disable automatic merge conflict resolution 2017-06-01 12:51:01 -04:00
BloomFilter.hs Another redundant constraint 2016-01-28 12:34:07 -04:00
Branch.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
BranchState.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
CatFile.hs Always use filesystem encoding for all file and handle reads and writes. 2016-12-24 14:46:31 -04:00
ChangedRefs.hs make tor hidden service work when directory watching is not available 2016-12-09 16:40:47 -04:00
CheckAttr.hs annex.largefiles can be configured in .gitattributes too 2016-02-02 15:18:17 -04:00
CheckIgnore.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Common.hs factor non-type stuff out of Key 2017-02-24 13:42:30 -04:00
Concurrent.hs have onLocal stop any coprocesses, not only cat-file 2017-02-17 14:30:18 -04:00
Content.hs annex.securehashesonly 2017-02-27 13:33:59 -04:00
Difference.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Direct.hs fix bug introduced in 07f1e638ee 2017-02-28 13:24:26 -04:00
DirHashes.hs stop using MissingH for MD5 2017-05-15 21:36:03 -04:00
Drop.hs AssociatedFile newtype 2017-03-10 13:35:31 -04:00
Environment.hs also avoid crashing in most circumstances if unable to determine the username 2016-06-08 15:04:15 -04:00
FileMatcher.hs AssociatedFile newtype 2017-03-10 13:35:31 -04:00
Fixup.hs avoid warnings about not exported System.Directory.isSymbolicLink 2016-04-28 15:18:11 -04:00
GitOverlay.hs Optimisations to git-annex branch query and setting, avoiding repeated copies of the environment. 2016-09-29 13:36:48 -04:00
HashObject.hs Sped up git-annex add in direct mode and v6 by using git hash-object --batch. 2016-03-14 15:58:46 -04:00
Hook.hs post-recive hook to make updateInstead work in direct mode and adjusted branches 2017-02-17 14:04:43 -04:00
Ingest.hs annex.securehashesonly 2017-02-27 13:33:59 -04:00
Init.hs inheritable annex.securehashesonly 2017-02-27 16:08:23 -04:00
InodeSentinal.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Journal.hs Always use filesystem encoding for all file and handle reads and writes. 2016-12-24 14:46:31 -04:00
Link.hs Always use filesystem encoding for all file and handle reads and writes. 2016-12-24 14:46:31 -04:00
Locations.hs migrate: WORM keys containing spaces will be migrated to not contain spaces anymore 2017-08-17 15:09:38 -04:00
LockFile.hs Ssh password prompting improved when using -J 2017-05-11 17:36:03 -04:00
LockPool.hs pid locking configuration and abstraction layer for git-annex 2015-11-12 17:50:34 -04:00
MakeRepo.hs Use git-annex init --version=6 to get v6 for now 2015-12-15 17:17:13 -04:00
MetaData.hs Added metadata --batch option, which allows getting, setting, deleting, and modifying metadata for multiple files/keys. 2016-07-27 10:46:25 -04:00
Multicast.hs fix build with old ghc 2017-05-10 14:39:15 -04:00
Notification.hs AssociatedFile newtype 2017-03-10 13:35:31 -04:00
NumCopies.hs handle SomeAsyncException same as AsyncException 2016-06-20 10:31:47 -04:00
Path.hs Fix bug introduced in the last release that broke git-annex sync when git-annex was installed from the standalone tarball. 2015-03-27 12:55:18 -04:00
Perms.hs post-recive hook to make updateInstead work in direct mode and adjusted branches 2017-02-17 14:04:43 -04:00
Queue.hs withAltRepo needs a separate queue of changes 2016-06-03 13:57:00 -04:00
Quvi.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
ReplaceFile.hs Windows: Fix an over-long temp directory name. 2016-05-06 12:49:41 -04:00
SpecialRemote.hs add annex-ignore-command and annex-sync-command configs 2017-08-17 13:54:14 -04:00
Ssh.hs avoid the dashed ssh hostname class of security holes 2017-08-17 22:11:31 -04:00
TaggedPush.hs Some optimisations to string splitting code. 2017-01-31 19:06:22 -04:00
Transfer.hs Fix transfer log file locking problem when running concurrent transfers. 2017-05-25 17:40:23 -04:00
UpdateInstead.hs sync hack to make updateInstead work on eg FAT 2017-02-17 15:21:52 -04:00
Url.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
UUID.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
VariantFile.hs stop using MissingH for MD5 2017-05-15 21:36:03 -04:00
VectorClock.hs avoid accidental Show of VectorClock 2017-08-14 14:51:54 -04:00
Version.hs Support using v3 repositories without upgrading them to v5. 2016-10-05 16:53:09 -04:00
View.hs Avoid backtraces on expected failures when built with ghc 8; only use backtraces for unexpected errors. 2016-11-15 21:29:54 -04:00
Wanted.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
WorkTree.hs upgrade: Handle upgrade to v6 when the repository already contains v6 unlocked files whose content is already present. 2016-10-17 15:19:47 -04:00