mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
git-annex/Utility
History
Joey Hess 28720c795f
limit url downloads to whitelisted schemes 
Security fix! Allowing any schemes, particularly file: and
possibly others like scp: allowed file exfiltration by anyone who had
write access to the git repository, since they could add an annexed file
using such an url, or using an url that redirected to such an url,
and wait for the victim to get it into their repository and send them a copy.

* Added annex.security.allowed-url-schemes setting, which defaults
  to only allowing http and https URLs. Note especially that file:/
  is no longer enabled by default.

* Removed annex.web-download-command, since its interface does not allow
  supporting annex.security.allowed-url-schemes across redirects.
  If you used this setting, you may want to instead use annex.web-options
  to pass options to curl.

With annex.web-download-command removed, nearly all url accesses in
git-annex are made via Utility.Url via http-client or curl. http-client
only supports http and https, so no problem there.
(Disabling one and not the other is not implemented.)

Used curl --proto to limit the allowed url schemes.

Note that this will cause git annex fsck --from web to mark files using
a disallowed url scheme as not being present in the web. That seems
acceptable; fsck --from web also does that when a web server is not available.

youtube-dl already disabled file: itself (probably for similar
reasons). The scheme check was also added to youtube-dl urls for
completeness, although that check won't catch any redirects it might
follow. But youtube-dl goes off and does its own thing with other
protocols anyway, so that's fine.

Special remotes that support other domain-specific url schemes are not
affected by this change. In the bittorrent remote, aria2c can still
download magnet: links. The download of the .torrent file is
otherwise now limited by annex.security.allowed-url-schemes.

This does not address any external special remotes that might download
an url themselves. Current thinking is all external special remotes will
need to be audited for this problem, although many of them will use
http libraries that only support http and not curl's menagarie.

The related problem of accessing private localhost and LAN urls is not
addressed by this commit.

This commit was sponsored by Brett Eisenberg on Patreon.
2018-06-16 11:57:50 -04:00
..
Directory add streamDirectoryContents 2018-04-26 13:38:36 -04:00
DirWatcher Support building with hinotify-0.3.10. 2018-05-08 14:43:06 -04:00
Env fix windows build 2018-01-04 14:23:11 -04:00
LockFile remove temp file in failure case 2017-06-06 14:23:33 -04:00
LockPool Fix transfer log file locking problem when running concurrent transfers. 2017-05-25 17:40:23 -04:00
Path finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Process fixed processTranscript hang problem 2018-03-15 16:14:22 -04:00
Scheduled reorg quickcheck to a separate module 2015-11-17 15:49:22 -04:00
Tmp finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Touch move old ghc compat code into separate module; eliminate WITH_CLIBS 2016-02-15 11:47:33 -04:00
Aeson.hs Fix mangling of --json output of utf-8 characters when not running in a utf-8 locale 2018-04-16 16:21:21 -04:00
Android.hs avoid uname -o on !linux and catch any exception from it 2018-05-08 14:06:19 -04:00
Applicative.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
AuthToken.hs unified AuthToken type between webapp and tor 2016-11-22 14:18:34 -04:00
Base64.hs avoid throwing exception when String is not encoded using the filesystem encoding 2015-08-12 10:57:48 -04:00
Batch.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
Bloom.hs fix bug in back-compat ifdef 2015-09-23 13:09:08 -04:00
CoProcess.hs Always use filesystem encoding for all file and handle reads and writes. 2016-12-24 14:46:31 -04:00
CopyFile.hs fold Build/SysConfig.hs into BuildInfo via include 2017-12-14 12:46:57 -04:00
Daemon.hs terminateProcessId renamed 2017-10-25 19:46:28 -04:00
Data.hs disable horrible tab warning, needed in every file that Setup.hs pulls in 2015-05-10 16:31:50 -04:00
DataUnits.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
DBus.hs Revert "When listing DBus services, also list activatable services." 2015-06-02 14:38:24 -04:00
Directory.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
DirWatcher.hs disable closingTracked on OSX 2017-06-09 14:18:58 -04:00
DiskFree.hs build without disk-free-space on android 2016-03-08 02:45:10 -04:00
Dot.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
DottedVersion.hs Some optimisations to string splitting code. 2017-01-31 19:06:22 -04:00
Env.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Exception.hs allow Utility.Exception to still be used when not building with cabal 2016-11-15 22:01:55 -04:00
ExternalSHA.hs Always use filesystem encoding for all file and handle reads and writes. 2016-12-24 14:46:31 -04:00
FileMode.hs use unix-compat 0.5 on windows 2017-11-14 14:00:24 -04:00
FileSize.hs matchexpression: New plumbing command to check if a preferred content expression matches some data. 2016-01-25 16:16:18 -04:00
FileSystemEncoding.hs Support building with hinotify-0.3.10. 2018-05-08 14:43:06 -04:00
Format.hs fix failing quickcheck properties 2017-06-17 16:48:00 -04:00
FreeDesktop.hs use System.Directory not Utility.Directory 2016-09-22 11:34:55 -04:00
Glob.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
Gpg.hs windows build fix 2018-01-05 15:09:10 -04:00
Hash.hs fix build with cryptonite-0.20 2018-03-15 11:16:00 -04:00
HtmlDetect.hs fix regression in addurl --file caused by youtube-dl support 2017-12-06 13:22:31 -04:00
HumanNumber.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
HumanTime.hs generalize parseDuration so it can be used in the ReadM monad 2015-07-08 16:08:26 -04:00
InodeCache.hs Fix build with QuickCheck 2.10. 2017-06-17 13:04:48 -04:00
libkqueue.c update my email address and homepage url 2015-01-21 12:50:09 -04:00
libkqueue.h fix prototype 2012-06-19 01:57:19 -04:00
LinuxMkLibs.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
LockFile.hs use lock pools throughout git-annex 2015-05-19 14:09:52 -04:00
LockPool.hs Fix shared lock file FD leak. 2016-03-01 15:31:39 -04:00
LogFile.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Lsof.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
MagicWormhole.hs wormhole pairing appid flag day 2021-12-31 2017-02-03 15:06:40 -04:00
Matcher.hs improve comment 2015-09-15 13:12:21 -04:00
Metered.hs refactor sinkResponseFile and add downloadC 2018-04-06 16:07:08 -04:00
Misc.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Monad.hs disable horrible tab warning, needed in every file that Setup.hs pulls in 2015-05-10 16:31:50 -04:00
Mounts.hs deal with getMounts crashing on android 2018-04-25 17:42:27 -04:00
Network.hs more {-# OPTIONS_GHC -fno-warn-tabs #-} ... Forcing people who have what is merely a difference of opinion to you to do this is a bit of an asshole move. Just saying. 2015-05-10 16:38:49 -04:00
NotificationBroadcaster.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
OptParse.hs I've been not documenting these import Preludes used to deal with the AMP transition 2015-09-15 11:32:47 -04:00
OSX.hs disable horrible tab warning, needed in every file that Setup.hs pulls in 2015-05-10 16:31:50 -04:00
Parallel.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
PartialPrelude.hs correct spelling mistakes 2017-02-12 17:30:23 -04:00
Path.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Percentage.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
PID.hs Revert "Revert "remove dep on Win32-extras"" 2017-11-13 12:55:23 -04:00
Process.hs p2p ssh connection pools 2018-03-08 15:11:31 -04:00
QuickCheck.hs Fix build with QuickCheck 2.10. 2017-06-17 13:04:48 -04:00
Rsync.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
SafeCommand.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
Scheduled.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
Shell.hs clean up build warnings on Windows 2017-11-14 14:14:10 -04:00
SimpleProtocol.hs git-annex-shell, remotedaemon, git remote: Fix some memory DOS attacks. 2016-12-09 13:34:32 -04:00
Split.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
SRV.hs Fix build with dns-3.0. 2017-11-24 10:49:31 -04:00
SshConfig.hs redundant import 2015-09-22 12:31:54 -04:00
SshHost.hs avoid the dashed ssh hostname class of security holes 2017-08-17 22:11:31 -04:00
Su.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
SystemDirectory.hs Fix build with directory-1.3. 2016-12-20 15:23:59 -04:00
Tense.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
ThreadLock.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
ThreadScheduler.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
TList.hs update my email address and homepage url 2015-01-21 12:50:09 -04:00
Tmp.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
Tor.hs Support all common locations of the torrc file. 2016-12-28 15:12:31 -04:00
Touch.hs another windows build fix 2016-03-05 15:08:37 -04:00
Tuple.hs adeiu, MissingH 2017-05-16 01:03:52 -04:00
Url.hs limit url downloads to whitelisted schemes 2018-06-16 11:57:50 -04:00
UserInfo.hs catch exceptions from getEffectiveUserID 2018-04-24 20:10:10 -04:00
Verifiable.hs Removed dependency on haskell SHA library, instead using cryptohash >= 0.11.0. 2015-04-19 11:05:32 -04:00
WebApp.hs clean up build warnings on Windows 2017-11-14 14:14:10 -04:00
Yesod.hs Fix build with yesod 1.6. 2018-04-22 13:56:35 -04:00