This series addresses a handful of potential protocol injection attacks
possible via some of the credential helpers in contrib/credential, and
the new "wwwauth[]" directive.
The attack is described in complete detail in 2/7, but roughly boils
down to using a long line to incur multiple fgets() calls which can
treat data in the middle of the line as if it appeared at the beginning.
Luckily, all protocol fields part of tagged versions of Git are immune
from this attack. Briefly:
- "protocol" is restricted to known values
- "host" is immune because curl will reject hostnames that have a '='
character in them, which would be required to carry out this attack.
- "username", and "path" are immune, because the buffer characters to
fill out the first `fgets()` call would pollute the
`username`/`path` field, causing the credential helper to return
nothing
- "password" is immune because providing a password instructs
credential helpers to avoid filling credentials in the first place.
But the new "wwwauth[]" field does allow this attack to take place.
Since these credential helpers are tested via t0303 (which requires some
extensive set-up), we opted not to make these fixes during the last
embargo period, and instead do them before the "wwwauth[]" feature
becomes part of a tagged version.
With the additional time, we have been able to verify that the affected
credential helpers which are modified in this series all fail the new
test before their patches, and pass afterwords. Thanks to Peff for
looking at libsecret, Matthew Cheetham for looking at wincred. I looked
at osxkeychain.
Taylor Blau (7):
credential.c: store "wwwauth[]" values in `credential_read()`
t/lib-credential.sh: ensure credential helpers handle long headers
contrib/credential: avoid fixed-size buffer in osxkeychain
contrib/credential: remove 'gnome-keyring' credential helper
contrib/credential: .gitignore libsecret build artifacts
contrib/credential: avoid fixed-size buffer in libsecret
contrib/credential: embiggen fixed-size buffer in wincred
contrib/credential/gnome-keyring/.gitignore | 1 -
contrib/credential/gnome-keyring/Makefile | 25 -
.../git-credential-gnome-keyring.c | 470 ------------------
contrib/credential/libsecret/.gitignore | 1 +
.../libsecret/git-credential-libsecret.c | 15 +-
.../osxkeychain/git-credential-osxkeychain.c | 10 +-
.../wincred/git-credential-wincred.c | 21 +-
credential.c | 2 +
t/lib-credential.sh | 29 ++
9 files changed, 63 insertions(+), 511 deletions(-)
delete mode 100644 contrib/credential/gnome-keyring/.gitignore
delete mode 100644 contrib/credential/gnome-keyring/Makefile
delete mode 100644 contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
create mode 100644 contrib/credential/libsecret/.gitignore
--
2.40.1.452.gb3cd41c833
