On 12/01, Ramsay Jones wrote: > > > On 01/12/16 09:04, Jeff King wrote: > > If a malicious server redirects the initial ref > > advertisement, it may be able to leak sha1s from other, > > unrelated servers that the client has access to. For > > example, imagine that Alice is a git user, she has access to > > a private repository on a server hosted by Bob, and Mallory > > runs a malicious server and wants to find out about Bob's > > private repository. > > > > Mallory asks Alice to clone an unrelated repository from her > -----------------------------------------------------------^^^ > ... from _him_ ? (ie Mallory) > > > over HTTP. When Alice's client contacts Mallory's server for > > the initial ref advertisement, the server issues an HTTP > > redirect for Bob's server. Alice contacts Bob's server and > > gets the ref advertisement for the private repository. If > > there is anything to fetch, she then follows up by asking > > the server for one or more sha1 objects. But who is the > > server? > > > > If it is still Mallory's server, then Alice will leak the > > existence of those sha1s to her. > ------------------------------^^^ > ... to _him_ ? (again Mallory) > > ATB, > Ramsay Jones Depends, I only know Mallorys who are women so her seems appropriate. -- Brandon Williams