On Thu, Jan 31, 2013 at 1:59 PM, Junio C Hamano <gits...@pobox.com> wrote:
> Shawn Pearce <spea...@spearce.org> writes:
>> Before parsing a suspected smart-HTTP response verify the returned
>> Content-Type matches the standard. This protects a client from
>> attempting to process a payload that smells like a smart-HTTP
>> server response.
>> JGit has been doing this check on all responses since the dawn of
>> time. I mistakenly failed to include it in git-core when smart HTTP
>> was introduced. At the time I didn't know how to get the Content-Type
>> from libcurl. I punted, meant to circle back and fix this, and just
>> plain forgot about it.
>> Signed-off-by: Shawn Pearce <spea...@spearce.org>
> Sounds sensible. Was there a report of attack attempts by malicious
> servers or something, or is it just a general "common sense" thing?
I had a report a while ago about JGit not working with the Git servers
at Codeplex. This failure was caused by their HTTP servers returning
an invalid Content-Type, making JGit refuse to continue parsing. This
has since been fixed, I verified this morning that Codeplex is
returning the correct Content-Type.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html