I think we do indeed want to filter out suspect paths in the tree building function.
I'm currently travelling so won't be able to fix this soon; it'd be great if somebody contributed a fix for this. Cheers, jelmer On 18 December 2014 17:57:33 GMT-05:00, Gary van der Merwe <[email protected]> wrote: >On Thu, Dec 18, 2014 at 11:45 PM, Andi McClure ><[email protected]> wrote: >> >> News is going around today about a potential-remote-code-execution >vulnerability in the standard git clients: >> >> https://github.com/blog/1938-git-client-vulnerability-announced >> >> Is Dulwich potentially affected? > >Yes. And not only on case insensitive file systems, like with git, but >always :-( > >I've attached a file to demonstrate it. It creates a repo with a >commit of a .git/hooks/pre-commit file. Git prevents writing this file >to the working tree, but dulwich happily writes it out. > >/tmp % ./cve-2014-9390-create.py >/tmp % cd cve-2014-9390-repo.git >/tmp/cve-2014-9390-repo.git (git)-[master] % git reset --hard >error: Invalid path '.git/hooks/pre-commit' >HEAD is now at 1c27312 Evil commit >/tmp/cve-2014-9390-repo.git (git)-[master] % dulwich reset --hard >/tmp/cve-2014-9390-repo.git (git)-[master] % git commit -m "test" >--allow-empty >You just got cracked! (not really but you could have been!) >[master 29a7100] test > >For my own use cases of dulwich, I'm not affected by this as I only >ever read and write directly to repos with dulwich with out checking >out trees to a working tree. Do other users actually use the dulwich >index module, or porcilian commands. > >How do we fix this? I assume we start by filtering what we write in >dulwich.index.build_index_from_tree? Filtering the case sensitive and >case insensitive cases is easy, but some of the other edge cases >("git~1" on windows, ".g\u200cit" on HFS+) are a little more tricky. >Do we care about preventing a user from adding these paths to the >index? > > >Gary > > >------------------------------------------------------------------------ > >_______________________________________________ >Mailing list: https://launchpad.net/~dulwich-users >Post to : [email protected] >Unsubscribe : https://launchpad.net/~dulwich-users >More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~dulwich-users Post to : [email protected] Unsubscribe : https://launchpad.net/~dulwich-users More help : https://help.launchpad.net/ListHelp
