A malicious server may be able to use the fetch and push protocols to steal data from a user's repository that the user did not intend to share, via attacks similar to those described in the gitnamespaces(7) man page. Mention this in the git-fetch(1), git-pull(1), and git-push(1) man pages and recommend using separate repositories for private data and interaction with untrusted servers. Signed-off-by: Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> --- And here's a proposed patch. Based on the maint branch, ac84098. Documentation/fetch-push-security.txt | 9 +++++++++ Documentation/git-fetch.txt | 2 ++ Documentation/git-pull.txt | 2 ++ Documentation/git-push.txt | 2 ++ 4 files changed, 15 insertions(+) create mode 100644 Documentation/fetch-push-security.txt diff --git a/Documentation/fetch-push-security.txt b/Documentation/fetch-push-security.txt new file mode 100644 index 0000000..00944ed --- /dev/null +++ b/Documentation/fetch-push-security.txt @@ -0,0 +1,9 @@ +SECURITY +-------- +The fetch and push protocols are not designed to prevent a malicious +server from stealing data from your repository that you did not intend to +share. The possible attacks are similar to the ones described in the +"SECURITY" section of linkgit:gitnamespaces[7]. If you have private data +that you need to protect from the server, keep it in a separate +repository. + diff --git a/Documentation/git-fetch.txt b/Documentation/git-fetch.txt index 9e42169..a461b4b 100644 --- a/Documentation/git-fetch.txt +++ b/Documentation/git-fetch.txt @@ -192,6 +192,8 @@ The first command fetches the `maint` branch from the repository at objects will eventually be removed by git's built-in housekeeping (see linkgit:git-gc[1]). +include::fetch-push-security.txt[] + BUGS ---- Using --recurse-submodules can only fetch new commits in already checked diff --git a/Documentation/git-pull.txt b/Documentation/git-pull.txt index d033b25..0af2de9 100644 --- a/Documentation/git-pull.txt +++ b/Documentation/git-pull.txt @@ -237,6 +237,8 @@ If you tried a pull which resulted in complex conflicts and would want to start over, you can recover with 'git reset'. +include::fetch-push-security.txt[] + BUGS ---- Using --recurse-submodules can only fetch new commits in already checked diff --git a/Documentation/git-push.txt b/Documentation/git-push.txt index 47b77e6..5ebef9e 100644 --- a/Documentation/git-push.txt +++ b/Documentation/git-push.txt @@ -559,6 +559,8 @@ Commits A and B would no longer belong to a branch with a symbolic name, and so would be unreachable. As such, these commits would be removed by a `git gc` command on the origin repository. +include::fetch-push-security.txt[] + GIT --- Part of the linkgit:git[1] suite -- 2.7.4