On Thu, 2018-02-08 at 21:44 +0100, Jakub Wilk wrote: > It's hard to tell whether they agree, because disabling git-remote-ext > by default is not documented AFAICT. See bug #867699.
Thanks for the pointer.
> Users might need to re-enable git-remote-ext for their own purposes, so
> this needs to be fixed in webcheckout.
How would you suggest doing that?
* Blacklist ext::
* Whitelist good remote protocols
How should it handle the bad remotes?
* Fail with "potentially unsafe git remote"
* Fail with "potentially unsafe git URL, may execute code: ext::*"
* Fail with "potentially unsafe git URL, may execute code:
git clone ext::*"
> webcheckout is also susceptible to option injection, but I couldn't find
> a way to exploit it for anything nefarious.
I made a patch for that locally, but I wanted the commit to link to the
canonical document about option injection but I cannot find a link.
IIRC it includes how to get RCE with tar/cpio/etc option injection.
Do you remember where that can be found?
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part

