From: mathstuf at gmail.com (Ben Boeckel)
Subject: [PATCHv2 2/3] Add ability to authorize viewing a repository
Date: Mon, 29 Oct 2012 10:52:38 -0400 [thread overview]
Message-ID: <20121029145238.GA31761@sir-slippy> (raw)
In-Reply-To: <20121029094346.GD17370@kudu.in-berlin.de>
On Mon, Oct 29, 2012 at 10:43:47 +0100, Valentin Haenel wrote:
> I added the single quotes as suggested. When I looked at the code
> initially, I was reasoning that the remote_user is set by the
> authentication part, in our case this is Apache, which in turn asks
> LDAP. Furthermore, Apache sets the remote_user and forward to cgit only
> if the user is actually a valid user. So my assumption was, that
> remote_user is not under the attackers control.
>
> I guess I need some more help to understand why I am mistaken about
> this. Is it the case that the assumption fails, if an attacker can
> inject something into LDAP he may be able to pass through apache
> successfully and then have his exploit, which is in remote_user, be
> executed on the machine which is running cgit?
Okay, that makes it sound to me as if it makes sense to have a setting
for the variable.
We should quote it since the provenance is outside of cgit. If
preventing code exection is a couple of characters added on our side,
it'll mean we don't have to worry about bugs in apache, nginx, lighttpd,
slapd, and every other piece of software which might be involved.
Remember, we need only give attackers one hole and we're done. Even if
"that's impossible" is the gut reaction, that's a target attackers can
knowningly try to thread arbitrary strings through towards.
It also means we're guarded against obscure webserver setups which is
always a good thing (http://git.example.org/~foobar giving the user's
view being turned into a user's view is possible).
--Ben
next prev parent reply other threads:[~2012-10-29 14:52 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-16 9:15 [PATCH 0/3] Implement authorization via external program valentin.haenel
2012-10-16 9:15 ` [PATCH 1/3] Add config option user-envvar valentin.haenel
2012-10-28 1:11 ` Jason
2012-10-29 9:49 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-16 11:21 ` Jason
2012-10-16 12:48 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 2/3] Add ability to authorize viewing a repository using valentin.haenel
2012-10-16 9:17 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-22 8:29 ` [PATCHv2 1/3] Add config option user-envvar valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-29 9:22 ` valentin.haenel
2012-10-29 14:53 ` mathstuf
2012-10-29 15:50 ` valentin.haenel
2012-10-22 8:29 ` [PATCHv2 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-28 1:16 ` Jason
2012-10-28 1:29 ` mathstuf
2012-10-28 1:33 ` Jason
2012-10-29 9:43 ` valentin.haenel
2012-10-29 14:52 ` mathstuf [this message]
2012-10-29 15:45 ` valentin.haenel
2012-10-28 1:17 ` Jason
2012-10-29 12:38 ` valentin.haenel
2012-10-30 9:54 ` valentin.haenel
2012-10-28 1:14 ` Jason
2012-10-29 9:36 ` valentin.haenel
2012-10-22 8:29 ` [PATCHv2 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-29 9:27 ` valentin.haenel
2012-10-30 10:11 ` [PATCHv3 0/3] Implement authorization via external program (v3) valentin.haenel
2012-10-30 15:04 ` mathstuf
2012-10-30 16:30 ` Jason
2012-10-30 10:11 ` [PATCHv3 1/3] Add config option user-envvar valentin.haenel
2012-10-30 16:29 ` Jason
2012-10-30 10:11 ` [PATCHv3 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-30 16:30 ` Jason
2012-10-30 10:11 ` [PATCHv3 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-30 15:05 ` mathstuf
2012-10-31 18:50 ` [PATCHv4 0/2] Authorize viewing a repository valentin.haenel
2012-10-31 18:52 ` [PATCHv4 1/2] Add ability to authorize " valentin.haenel
2012-10-31 18:52 ` [PATCHv4 2/2] Helper script to interface to gitolite valentin.haenel
2012-11-01 3:03 ` jamie.couture
2012-11-01 3:23 ` mathstuf
2012-11-01 4:20 ` Jason
2012-11-01 4:31 ` mathstuf
2012-11-01 8:58 ` valentin.haenel
2012-11-01 17:32 ` Jason
2012-11-01 10:40 ` [PATCHv4 0/2] Authorize viewing a repository valentin.haenel
2012-11-01 17:27 ` Jason
2012-11-01 17:32 ` valentin.haenel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121029145238.GA31761@sir-slippy \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).