On 11/11/20 5:53 PM, Josh Steadmon wrote:
On 2020.11.04 13:14, Junio C Hamano wrote:
Josh Steadmon <steadmon@xxxxxxxxxx> writes:
When a client receives a trace2-sid capability from a protocol v0, v1,
or v2 server, log the received session ID via a trace2 data event.
Would this pose a new security threat surface? Just wondering if we
want to ignore the capability if it is not enabled on our end with
the configuration.
Thanks.
As Jeff pointed out, the json-writer handles string escapes, so I don't
think we could cause any trouble with the trace2 "event" target. The
"normal" target ignores data events, so this would not show up in a
normal trace2 log. The "perf" target doesn't seem to do any escaping,
but it's intended to be human readable rather than parseable, so I'm not
sure if we need to worry there. Jeff, any thoughts?
Only the "event" target prints the SID and it is JSON quoted there.
Neither the "perf" nor "normal" target print them. The "perf" target
does print the SID "depth" parameter (which is the number of slashes
in the complete SID).
My earlier concerns were about whitespace, CL/LF and other
non-printables in the wire protocol and etc.
Jeff
