On Mon, Apr 22, 2024 at 07:48:12PM +0000, Calvin Wan wrote: > > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > > index bcd3f575a3..2264a88c41 100644 > > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c > > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > > @@ -69,6 +69,12 @@ static void find_internet_password(void) > > UInt32 len; > > SecKeychainItemRef item; > > > > + /* > > + * Require at valid host to fix CVE-2020-11008 > > + */ > > + if (!host || !*host) > > + return; > > + > > if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) > > return; > > > > -- > > 2.26.2.111.gbff22aa583 > > > > We're currently using this patch downstream (removed the check for > !*host after updates to this file), but I was wondering whether this > change should also be in main. It seems like the discussion around this > stalled and there was no definitive conclusion, but the change also at > worst does nothing and could possibly be useful -- I see other functions > where we're checking for the existence of "host". I wasn't around when > all the changes around this CVE were happening so I'm not exactly sure > how useful this patch this and whether we can get rid of it or not. I think this is mostly redundant with the protection on the sending side from 8ba8ed568e (credential: refuse to operate when missing host or protocol, 2020-04-18). Locking down the individual helpers more might be useful if they are run as independent programs (e.g., you could run "osxkeychain" manually and feed it input with a host, which would make its matching quite liberal). But since there isn't a way to trigger it in a normal workflow with untrusted input, I don't think there's much of a security implication. Looking at the patch above, I think it may cause issues with protocols that do not have a host (like "cert" ones we use for storing client-side certificate passphrases). But I'm not sure that osxkeychain can handle those anyway. I'm also not sure we didn't break that in 8ba8ed568e. That patch allows an empty string for the host, and the code in http.c to set up the credential struct for the cert uses an empty string. But doing a trivial test seems broken: $ touch foo.cert $ git -c http.sslcert=foo.cert ls-remote ... fatal: refusing to work with credential missing host field Curiously if you feed it a real cert and matching key, then curl itself prompts for the passphrase! And if you provide the correct one, then it does not need to check credential config/helpers, and it works. If you provide a bad one, we hit that same message trying to "reject" it (and I think that is what happens with the fake cert; curl likewise complains and we try to erase the passphrase before trying again). But that also means we have no opportunity to prompt/store ourselves, if curl is handling it. If you set GIT_SSL_CERT_PASSWORD_PROTECTED, then we do our own prompt ahead of time (and this correctly sets the hostname to the empty string). So the whole cert auth handling is kind of wonky, and it's not clear to me that anybody actually uses it, or what's supposed to work and what isn't. That's all sort of a tangent to your question, of course. ;) It is interesting that the fix we did in 8ba8ed568e still allows empty string hostnames, as I think such a hostname would cause osxkeychain to still liberally match its contents. So in that case maybe the patch above is doing something? I dunno. I think the real protection is avoiding either a NULL or empty-string hostname based on untrusted input in the first place. -Peff
