check_refname_format allows refs with components that begin with -, even though `git tag` does not

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If I try to create a Git tag with a name beginning with `-`,
Git complains.  However, Git does not check that a repository does
not have tags containing `-`.  This almost led to a vulnerability
in the QubesOS `verify-git-tag` script.  Fortunately, this was not
exploitable, as neither `git tag -v`, `git verify-tag --raw`, nor
`git describe` have options that are useful to an attacker.

Since this could cause vulnerabilities in other programs, I initially
reported it as an embargoed security bug, but was told to post it
publicly.

The best idea I had for a fix is to print names beginning with `-`
using the fully-qualified form, such as "refs/tags/-a".  Also, `--`
is used as a delimiter in many commands, and can’t be escaped,
so disallowing it might be a good idea.

In the long run, I hope to see leading dashes banned entirely, but
backwards compatibility might prevent that.

Sincerely,

Demi

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux