On Tue, May 9, 2017 at 4:22 PM, demerphq <demerphq@xxxxxxxxx> wrote: > On 9 May 2017 at 13:12, Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> wrote: >> On Tue, May 9, 2017 at 2:37 AM, brian m. carlson >> <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: >>> On Tue, May 09, 2017 at 02:00:18AM +0200, Ævar Arnfjörð Bjarmason wrote: >> * gitweb is vulnerable to CPU DoS now in its default configuration. >> It's easy to provide an ERE that ends up slurping up 100% CPU for >> several seconds on any non-trivial sized repo, do that in parallel & >> you have a DoS vector. > > Does one need an ERE? Can't one do that now to many parts of git just > with a glob? in practice I don't think so because: 1) I'm now aware of any place where we expose globbing over the wire. 2) AFAICT for the issue detailed in [1] to trigger you also need a pathological filename in the repo, e.g. I can't get git-ls-files to go quadratic on either git.git or linux.git, whereas it's pretty easy to come up with a really expensive regex since there's more content to choose from when matching file content than filenames. 1. https://public-inbox.org/git/20170424211249.28553-1-avarab@xxxxxxxxx/