There were coordinated releases today of Git, Hg, and SVN to patch a vulnerability associated with the use of "ssh://" in those systems. If the hostname or some other property of the URL could be manipulated to begin with a "-" character, then the constructed "ssh" command would understand the name to be an option instead. Apparently this could lead to an attack in Git, Hg, and SVN.
I do not think that the attack surface is quite as big in Fossil. (1) Hardly anybody uses "ssh://" with Fossil since it works so very well with "http://";. (2) The "ssh://" URL cannot be embedded inside of Fossil, making it difficult to obscure the attack. In order to work with Fossil, the attacker must convince the victim to run a "sync" or "clone" with a very dodgy-looking ssh:// URL. I've checked in a fix for the problem in Fossil. Please audit to confirm that I did not miss anything. I don't feel a particular need to rush out a new release containing this fix. But I am open to arguments to the contrary, if you feel differently. -- D. Richard Hipp d...@sqlite.org _______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
