On 01/12/16 09:04, Jeff King wrote: > If a malicious server redirects the initial ref > advertisement, it may be able to leak sha1s from other, > unrelated servers that the client has access to. For > example, imagine that Alice is a git user, she has access to > a private repository on a server hosted by Bob, and Mallory > runs a malicious server and wants to find out about Bob's > private repository. > > Mallory asks Alice to clone an unrelated repository from her -----------------------------------------------------------^^^ ... from _him_ ? (ie Mallory) > over HTTP. When Alice's client contacts Mallory's server for > the initial ref advertisement, the server issues an HTTP > redirect for Bob's server. Alice contacts Bob's server and > gets the ref advertisement for the private repository. If > there is anything to fetch, she then follows up by asking > the server for one or more sha1 objects. But who is the > server? > > If it is still Mallory's server, then Alice will leak the > existence of those sha1s to her. ------------------------------^^^ ... to _him_ ? (again Mallory) ATB, Ramsay Jones