On 11/02, Jeff King wrote:
> On Wed, Nov 02, 2016 at 03:20:47PM -0700, Brandon Williams wrote:
>
> > Add configuration option 'core.allowProtocol' to allow users to create a
> > whitelist of allowed protocols for fetch/push/clone in their gitconfig.
> >
> > For git-submodule.sh, fallback to default whitelist only if the user
> > hasn't explicitly set `GIT_ALLOW_PROTOCOL` or doesn't have a whitelist
> > in their gitconfig.
>
> This says "what", but not "why". What's the use case?
>
> I can see somebody wanting to pare down the whitelist further (e.g.,
> because they are carrying ssh credentials that they don't want to use on
> behalf of a malicious repo). But in general I'd expect this setting to
> be a function of the environment you're operating in, and not the
> on-disk config.
>
> Or is the intent to broaden it for cases where you have a clone that
> uses some non-standard protocol, and you want it to Just Work on
> subsequent recursive fetches?
>
> > +core.allowProtocol::
> > + Provide a colon-separated list of protocols which are allowed to be
> > + used with fetch/push/clone. This is useful to restrict recursive
> > + submodule initialization from an untrusted repository. Any protocol not
> > + mentioned will be disallowed (i.e., this is a whitelist, not a
> > + blacklist). If the variable is not set at all, all protocols are
> > + enabled. If the `GIT_ALLOW_PROTOCOL` enviornment variable is set, it is
> > + used as the protocol whitelist instead of this config option.
>
> The "not set at all, all protocols are enabled" bit is not quite
> correct, is it? It is true for a top-level fetch, but not for submodule
> recursion (and especially since you are talking about submodule
> recursion immediately before, it is rather confusing).
Yeah stefan mentioned this to me. I simply copied the documentaion from
GIT_ALLOW_PROTOCOL, perhaps that should be updated as well?
>
> > --- a/git-submodule.sh
> > +++ b/git-submodule.sh
> > @@ -27,7 +27,8 @@ cd_to_toplevel
> > #
> > # If the user has already specified a set of allowed protocols,
> > # we assume they know what they're doing and use that instead.
> > -: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
> > +config_whitelist=$(git config core.allowProtocol)
> > +: ${GIT_ALLOW_PROTOCOL=${config_whitelist:-file:git:http:https:ssh}}
>
> The original uses "=" without a ":" so that an empty variable takes
> precedence over the stock list (i.e., allowing nothing). Would you want
> the same behavior for the config variable? I.e.:
>
> # this should probably allow nothing, right?
> git config core.allowProtocol ""
>
> I think you'd have to check the return code of "git config" to
> distinguish those cases.
Oh, I didn't think of that case. That can be done easy enough, just
makes the code a bit more verbose.
>
> > diff --git a/transport.c b/transport.c
> > index d57e8de..b1098cd 100644
> > --- a/transport.c
> > +++ b/transport.c
> > @@ -652,7 +652,7 @@ static const struct string_list
> > *protocol_whitelist(void)
> >
> > if (enabled < 0) {
> > const char *v = getenv("GIT_ALLOW_PROTOCOL");
> > - if (v) {
> > + if (v || !git_config_get_value("core.allowProtocol", &v)) {
> > string_list_split(&allowed, v, ':', -1);
> > string_list_sort(&allowed);
> > enabled = 1;
>
> I thought at first we'd have to deal with leaking "v", but "get_value"
> is the "raw" version that gives you the uninterpreted value. I think
> that means it may give you NULL, though if we see an implicit bool like:
>
> [core]
> allowProtocol
>
> That's nonsense, of course, but we would still segfault. I
> think the easiest way to test is:
>
> git -c core.allowProtocol fetch
>
> which seems to segfault for me with this patch.
what is the desired behavior when a user provides a config in a way that
isn't intended?
--
Brandon Williams
