From: valentin.haenel at gmx.de (Valentin Haenel)
Subject: [PATCHv2 2/3] Add ability to authorize viewing a repository
Date: Mon, 29 Oct 2012 16:45:36 +0100 [thread overview]
Message-ID: <20121029154536.GA8463@kudu.in-berlin.de> (raw)
In-Reply-To: <20121029145238.GA31761@sir-slippy>
* Ben Boeckel <mathstuf at gmail.com> [2012-10-29]:
> On Mon, Oct 29, 2012 at 10:43:47 +0100, Valentin Haenel wrote:
> > I added the single quotes as suggested. When I looked at the code
> > initially, I was reasoning that the remote_user is set by the
> > authentication part, in our case this is Apache, which in turn asks
> > LDAP. Furthermore, Apache sets the remote_user and forward to cgit only
> > if the user is actually a valid user. So my assumption was, that
> > remote_user is not under the attackers control.
> >
> > I guess I need some more help to understand why I am mistaken about
> > this. Is it the case that the assumption fails, if an attacker can
> > inject something into LDAP he may be able to pass through apache
> > successfully and then have his exploit, which is in remote_user, be
> > executed on the machine which is running cgit?
>
> Okay, that makes it sound to me as if it makes sense to have a setting
> for the variable.
>
> We should quote it since the provenance is outside of cgit. If
> preventing code exection is a couple of characters added on our side,
> it'll mean we don't have to worry about bugs in apache, nginx, lighttpd,
> slapd, and every other piece of software which might be involved.
> Remember, we need only give attackers one hole and we're done. Even if
> "that's impossible" is the gut reaction, that's a target attackers can
> knowningly try to thread arbitrary strings through towards.
>
> It also means we're guarded against obscure webserver setups which is
> always a good thing (http://git.example.org/~foobar giving the user's
> view being turned into a user's view is possible).
Yeah, better safe than sorry. :-D
V-
next prev parent reply other threads:[~2012-10-29 15:45 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-16 9:15 [PATCH 0/3] Implement authorization via external program valentin.haenel
2012-10-16 9:15 ` [PATCH 1/3] Add config option user-envvar valentin.haenel
2012-10-28 1:11 ` Jason
2012-10-29 9:49 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-16 11:21 ` Jason
2012-10-16 12:48 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 2/3] Add ability to authorize viewing a repository using valentin.haenel
2012-10-16 9:17 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-22 8:29 ` [PATCHv2 1/3] Add config option user-envvar valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-29 9:22 ` valentin.haenel
2012-10-29 14:53 ` mathstuf
2012-10-29 15:50 ` valentin.haenel
2012-10-22 8:29 ` [PATCHv2 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-28 1:16 ` Jason
2012-10-28 1:29 ` mathstuf
2012-10-28 1:33 ` Jason
2012-10-29 9:43 ` valentin.haenel
2012-10-29 14:52 ` mathstuf
2012-10-29 15:45 ` valentin.haenel [this message]
2012-10-28 1:17 ` Jason
2012-10-29 12:38 ` valentin.haenel
2012-10-30 9:54 ` valentin.haenel
2012-10-28 1:14 ` Jason
2012-10-29 9:36 ` valentin.haenel
2012-10-22 8:29 ` [PATCHv2 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-29 9:27 ` valentin.haenel
2012-10-30 10:11 ` [PATCHv3 0/3] Implement authorization via external program (v3) valentin.haenel
2012-10-30 15:04 ` mathstuf
2012-10-30 16:30 ` Jason
2012-10-30 10:11 ` [PATCHv3 1/3] Add config option user-envvar valentin.haenel
2012-10-30 16:29 ` Jason
2012-10-30 10:11 ` [PATCHv3 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-30 16:30 ` Jason
2012-10-30 10:11 ` [PATCHv3 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-30 15:05 ` mathstuf
2012-10-31 18:50 ` [PATCHv4 0/2] Authorize viewing a repository valentin.haenel
2012-10-31 18:52 ` [PATCHv4 1/2] Add ability to authorize " valentin.haenel
2012-10-31 18:52 ` [PATCHv4 2/2] Helper script to interface to gitolite valentin.haenel
2012-11-01 3:03 ` jamie.couture
2012-11-01 3:23 ` mathstuf
2012-11-01 4:20 ` Jason
2012-11-01 4:31 ` mathstuf
2012-11-01 8:58 ` valentin.haenel
2012-11-01 17:32 ` Jason
2012-11-01 10:40 ` [PATCHv4 0/2] Authorize viewing a repository valentin.haenel
2012-11-01 17:27 ` Jason
2012-11-01 17:32 ` valentin.haenel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121029154536.GA8463@kudu.in-berlin.de \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).