Re: ctrl-z ignored by git; creates blobs from non-existent repos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Crls <kaploceh@xxxxxxxxx> writes:

> ... Coincidentally speaking, why does a username warrants a prompt
> from git, is simply beyond me. I mean, that is certainly the more
> far-fetched reasoning of implementation I've read in a long long
> time.
>
> Can you git-clone a user? What about the user's settings? What
> about the remainder its gpg tokens and so forth? In other words,
> if a user's repo is not found, why even prompting for a username?
> The latter, that is, the user's repo, is redundant, when the
> prompt is clearly asking for a username, and not a repo.

When you "git clone", you'd give a repository path to the server.
If the repository is not open to the general anonymous public, then
the server needs to check who you are (by asking username) and
verify that you are who you claim to be (by asking password).

Here two things you need to pay attention to.

 - A user can be the
   owner of more than one repositories, and

 - a repository can be accessed by users other than its owner.

So even after the repository is known by the server, the server
still needs to ask you who you are.

Imagine that there are many projects hosted at the same site, the
repository path is named after the codename of the project, and the
project codename is need-to-know secret.

If the server side reacted differently between an attempt to clone
existing repositories and missing ones, an attacker can try

	git clone https://site.example.com/projects/$X    

with many X's and observe the behaviour of the server.  If the
server is known to respond with "no such repository" for a missing
one, while responding with "please identify you" for an existing
one, you can easily tell if a word $X is a project codename, that is
supposed to be secret.

> Preventing the disclosure of information has nothing to do with
> the issue here. If anything seems clear to me, is that prompting
> for a username, does indeed disclose usernames, private, public
> and whatnot from either github or gitlab.

When you need to identify yourself to GitHub or GitLab, you'd give
your username and password.  You know that GitHub or GitLab have the
username so it is not secret to them.  Otherwise they wouldn't be
able to even recognise you.

So I am not sure how it "seems clear" that asking for the username
is a problem.  The observed behaviour to ask for the username even
for a missing repository is all about avoiding to disclose one bit
of information: whether a repository exists at the given URL.



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux