On Tue, Jan 05, 2016 at 04:23:33PM -0800, Jonathan Nieder wrote: > > Git packfiles come from two places: > > > > 1. Local maintenance repacks loose and already-packed objects into a > > new packfile. We trust the local repack process to generate a valid > > packfile (though the contents of individual objects may be > > untrusted, of course). > > I think we should reconsider such trust. If one user creates a > malicious pack, if another user uses read-only git commands to access > the repository (after inspecting .git/config to make sure it doesn't > contain anything scary) the result should not be arbitrary code > execution. > > Producing bogus output or aborting is okay; arbitrary code execution > less so. I agree it is better if we can meet this standard, and I didn't mean to discourage fixes in the area. But I do think it is worth classifying them differently than bugs that can be triggered via the network. The attack surface for on-disk attacks is much larger, and the number of people affected is much smaller. Regarding your example, I'm not sure it's the best motivating example, as I imagine hardly anyone examines .git/config. :) A simplified one might be that: git fetch me@shared-server:/home/you/foo.git is running git-upload-pack as me on packfiles created by you (on the server). We normally expect that to be a "safe" operation (and it is if done over git:// or similar). -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html