On Mon, Nov 28, 2016 at 04:15:08PM -0800, Junio C Hamano wrote:

> * bw/transport-protocol-policy (2016-11-09) 2 commits
>   (merged to 'next' on 2016-11-16 at 1391d3eeed)
>  + transport: add protocol policy config option
>  + lib-proto-disable: variable name fix
>  Finer-grained control of what protocols are allowed for transports
>  during clone/fetch/push have been enabled via a new configuration
>  mechanism.
>  Will cook in 'next'.

I was looking at the way the http code feeds protocol restrictions to
CURLOPT_REDIR_PROTOCOLS, and I think this topic is missing two elements:

  1. The new policy config lets you say "only allow this protocol when
     the user specifies it". But when http.c calls is_transport_allowed(),
     the latter has no idea that we are asking it about potential
     redirects (which obviously do _not_ come from the user), and would
     erroneously allow them.

     I think this needs fixed before the topic is merged. It's not a
     regression, as it only comes into play if you use the new policy
     config. But it is a minor security hole in the new feature.

  2. If your curl is too old to support CURLOPT_REDIR_PROTOCOLS, we will
     warn if there is a protocol whitelist in effect. But that check
     only covers the environment whitelist, and we do not warn if you
     restrict other protocols.

     I actually think this should probably just warn indiscriminately.
     Even without a Git protocol whitelist specified, the code serves to
     prevent curl from redirecting to bizarre protocols like smtp. The
     affected curl versions are from 2009 and prior, so I kind of doubt
     it matters much either way (I'm actually tempted to suggest we bump
     the minimum curl version there; there's a ton of #ifdef cruft going
     back to 2002-era versions of libcurl).


Reply via email to