Traversing symlinks
Matt Mackall
mpm at selenic.com
Thu May 19 15:36:00 CDT 2011
On Thu, 2011-05-19 at 21:25 +0200, Sune Foldager wrote:
> On 19-05-2011 19:42, Matt Mackall wrote:
>
> > Congratulations, you've just introduced a security hole that allows
> > remote attackers to 0wn you on clone.
> >
> > Just for kicks, I tried my hand at making an evil repo. Here's what
> > happens when we weaken the check on line 119 of scmutil.py as you've
> > proposed and clone my nasty little repo:
> >
> > $ hg clone http://localhost:8000/ a2
> > requesting all changes
> > adding changesets
> > adding manifests
> > adding file changes
> > added 1 changesets with 2 changes to 2 files
> > updating to branch default
> > *** y00 haz bin 0wnz0red ***
> > 2 files updated, 0 files merged, 0 files removed, 0 files unresolved
>
> Fun
>
> > For bonus points, you've also broken checkouts on Windows.
> > You may commence wearing a brown paper bag on your head... now.
>
> Bah... this is poisonous and arro... no wait. But seriously, this is
> stupid. Let's be civil; no one's trying to steal your candy.
On the other hand, I completely failed to get Martin (or Dominick) to
stop and think yesterday; other more blunt methods were clearly called
for. But it's not meant to be mean-spirited.
(Also, lots of candy is obviously at stake here.)
> > I'm not going to tell you which of several possible exploit I used just
> > yet, as the point of this exercise is to demonstrate that just because
> > you can't imagine an attack doesn't mean it doesn't exist.
>
> Well for educational purpose, why don't you divulge your expert
> knowledge? :) I, for one, would like to know.
Well, it's not really cool for project leaders to post their own 0-day
'sploits with vulnerable clients still out there. So not yet.
And I really want people to think -creatively- about all the ways that
something could go wrong here before proposing changes. If I just tell
you what I did, then I'll instead almost certainly get a patch that
focuses on _my specific exploit_.
The thing is, when I said no to this yesterday, I personally did NOT
know an attack was possible, because even I don't have the level of
expertise necessary to fully evaluate it. But I did know enough to know
that there were things to be worried about.
The bar for introducing security checks is low - you just need to be a
paranoid.
The bar for removing security checks is VERY high - you need to be a
paranoid AND a subject-matter expert.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list