git-commit-vandalism/Documentation
Jeff King 50d3413740 http: make redirects more obvious
We instruct curl to always follow HTTP redirects. This is
convenient, but it creates opportunities for malicious
servers to create confusing situations. For instance,
imagine Alice is a git user with access to a private
repository on Bob's server. Mallory runs her own server and
wants to access objects from Bob's repository.

Mallory may try a few tricks that involve asking Alice to
clone from her, build on top, and then push the result:

  1. Mallory may simply redirect all fetch requests to Bob's
     server. Git will transparently follow those redirects
     and fetch Bob's history, which Alice may believe she
     got from Mallory. The subsequent push seems like it is
     just feeding Mallory back her own objects, but is
     actually leaking Bob's objects. There is nothing in
     git's output to indicate that Bob's repository was
     involved at all.

     The downside (for Mallory) of this attack is that Alice
     will have received Bob's entire repository, and is
     likely to notice that when building on top of it.

  2. If Mallory happens to know the sha1 of some object X in
     Bob's repository, she can instead build her own history
     that references that object. She then runs a dumb http
     server, and Alice's client will fetch each object
     individually. When it asks for X, Mallory redirects her
     to Bob's server. The end result is that Alice obtains
     objects from Bob, but they may be buried deep in
     history. Alice is less likely to notice.

Both of these attacks are fairly hard to pull off. There's a
social component in getting Mallory to convince Alice to
work with her. Alice may be prompted for credentials in
accessing Bob's repository (but not always, if she is using
a credential helper that caches). Attack (1) requires a
certain amount of obliviousness on Alice's part while making
a new commit. Attack (2) requires that Mallory knows a sha1
in Bob's repository, that Bob's server supports dumb http,
and that the object in question is loose on Bob's server.

But we can probably make things a bit more obvious without
any loss of functionality. This patch does two things to
that end.

First, when we encounter a whole-repo redirect during the
initial ref discovery, we now inform the user on stderr,
making attack (1) much more obvious.

Second, the decision to follow redirects is now
configurable. The truly paranoid can set the new
http.followRedirects to false to avoid any redirection
entirely. But for a more practical default, we will disallow
redirects only after the initial ref discovery. This is
enough to thwart attacks similar to (2), while still
allowing the common use of redirects at the repository
level. Since c93c92f30 (http: update base URLs when we see
redirects, 2013-09-28) we re-root all further requests from
the redirect destination, which should generally mean that
no further redirection is necessary.

As an escape hatch, in case there really is a server that
needs to redirect individual requests, the user can set
http.followRedirects to "true" (and this can be done on a
per-server basis via http.*.followRedirects config).

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-12-06 12:32:48 -08:00
..
howto new-command.txt: correct the command description file 2016-06-27 06:11:57 -07:00
RelNotes Prepare for 2.9.4 2016-09-08 21:37:59 -07:00
technical Merge branch 'ls/packet-line-protocol-doc-fix' into maint 2016-09-08 21:35:57 -07:00
.gitattributes
.gitignore doc: generate a list of valid merge tools 2013-02-02 21:46:52 -08:00
asciidoc.conf Documentation: avoid poor-man's small caps GIT 2013-02-01 13:53:25 -08:00
blame-options.txt Merge branch 'ea/blame-progress' 2016-01-12 15:16:54 -08:00
build-docdep.perl
cat-texi.perl Documentation: Strip texinfo anchors to avoid duplicates 2013-04-03 16:14:19 -07:00
cmd-list.perl command-list: prepare machinery for upcoming "common groups" section 2015-05-21 13:03:37 -07:00
CodingGuidelines CodingGuidelines: formatting HEAD in documentation 2016-06-28 08:36:45 -07:00
config.txt http: make redirects more obvious 2016-12-06 12:32:48 -08:00
date-formats.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
diff-config.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
diff-format.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
diff-generate-patch.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
diff-options.txt Merge branch 'jc/doc-diff-filter-exclude' into maint 2016-08-08 14:21:44 -07:00
docbook-xsl.css
docbook.xsl
everyday.txto Documentation: fix linkgit references 2016-05-09 15:44:14 -07:00
fetch-options.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
fix-texi.perl
fmt-merge-msg-config.txt Documentation: include 'merge.branchdesc' for merge and config as well 2015-05-28 12:38:46 -07:00
git-add.txt git-add doc: do not say working directory when you mean working tree 2016-01-21 09:06:35 -08:00
git-am.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-annotate.txt
git-apply.txt git-apply.txt: mention the behavior inside a subdir 2016-03-24 10:16:52 -07:00
git-archimport.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-archive.txt docs: clarify remote restrictions for git-upload-archive 2014-02-28 09:55:35 -08:00
git-bisect-lk2009.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-bisect.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-blame.txt blame: add support for --[no-]progress option 2015-12-16 10:18:34 -08:00
git-branch.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-bundle.txt transport: drop support for git-over-rsync 2016-02-01 13:07:41 -08:00
git-cat-file.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-check-attr.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-check-ignore.txt Documentation: fix linkgit references 2016-05-09 15:44:14 -07:00
git-check-mailmap.txt builtin: add git-check-mailmap command 2013-07-13 10:19:37 -07:00
git-check-ref-format.txt Merge branch 'nd/doc-check-ref-format-typo' into maint 2015-12-11 11:14:15 -08:00
git-checkout-index.txt
git-checkout.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-cherry-pick.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-cherry.txt Documentation: revamp git-cherry(1) 2013-11-27 12:16:49 -08:00
git-citool.txt
git-clean.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-clone.txt Merge branch 'sb/clone-shallow-passthru' into maint 2016-07-11 10:44:12 -07:00
git-column.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-commit-tree.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-commit.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-config.txt Merge branch 'dg/document-git-c-in-git-config-doc' into maint 2016-09-08 21:35:56 -07:00
git-count-objects.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-credential-cache--daemon.txt credential-cache: close stderr in daemon process 2014-09-16 11:11:58 -07:00
git-credential-cache.txt credential-cache--daemon: disallow relative socket path 2016-02-23 12:56:27 -08:00
git-credential-store.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-credential.txt Documentation: make AsciiDoc links always point to HTML files 2013-09-06 14:49:06 -07:00
git-cvsexportcommit.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-cvsimport.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-cvsserver.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-daemon.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-describe.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-diff-files.txt
git-diff-index.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-diff-tree.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-diff.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-difftool.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-fast-export.txt doc: convert \--option to --option 2015-05-12 22:14:46 -07:00
git-fast-import.txt doc: typeset '--' as literal 2016-06-28 08:36:45 -07:00
git-fetch-pack.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-fetch.txt Merge branch 'jc/em-dash-in-doc' into maint 2015-11-04 14:20:45 -08:00
git-filter-branch.txt doc: typeset '--' as literal 2016-06-28 08:36:45 -07:00
git-fmt-merge-msg.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-for-each-ref.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-format-patch.txt Merge branch 'tr/doc-tt' into maint 2016-07-06 13:06:34 -07:00
git-fsck-objects.txt
git-fsck.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-gc.txt doc: change configuration variables format 2016-06-08 12:04:55 -07:00
git-get-tar-commit-id.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-grep.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-gui.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-hash-object.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-help.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-http-backend.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-http-fetch.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-http-push.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-imap-send.txt imap-send: use cURL automatically when NO_OPENSSL defined 2015-03-10 15:19:05 -07:00
git-index-pack.txt clone: open a shortcut for connectivity check 2013-05-28 08:07:20 -07:00
git-init-db.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-init.txt Merge branch 'tr/doc-tt' into maint 2016-07-06 13:06:34 -07:00
git-instaweb.txt doc: change configuration variables format 2016-06-08 12:04:55 -07:00
git-interpret-trailers.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-log.txt Merge branch 'tr/doc-tt' into maint 2016-07-06 13:06:34 -07:00
git-ls-files.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-ls-remote.txt ls-remote: add support for showing symrefs 2016-01-19 10:07:56 -08:00
git-ls-tree.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-mailinfo.txt Merge branch 'va/mailinfo-doc-typofix' into maint 2016-05-26 13:17:14 -07:00
git-mailsplit.txt
git-merge-base.txt merge-base: teach "--fork-point" mode 2013-10-29 13:06:08 -07:00
git-merge-file.txt merge-file: clamp exit code to maximum 127 2015-10-29 12:10:23 -07:00
git-merge-index.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-merge-one-file.txt
git-merge-tree.txt use 'tree-ish' instead of 'treeish' 2013-09-04 15:02:56 -07:00
git-merge.txt pull: pass --allow-unrelated-histories to "git merge" 2016-04-21 11:58:51 -07:00
git-mergetool--lib.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-mergetool.txt mergetool: document the default for --[no-]prompt 2014-04-24 11:29:05 -07:00
git-mktag.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-mktree.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-mv.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-name-rev.txt use 'commit-ish' instead of 'committish' 2013-09-04 15:03:03 -07:00
git-notes.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-p4.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-pack-objects.txt document git-repack interaction of pack.threads and pack.windowMemory 2016-08-10 10:55:13 -07:00
git-pack-redundant.txt
git-pack-refs.txt Documentation: remove --prune from pack-refs examples 2013-07-18 16:23:46 -07:00
git-parse-remote.txt
git-patch-id.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-prune-packed.txt Documentation: adjust document title underlining 2014-10-13 13:35:18 -07:00
git-prune.txt worktree: new place for "git prune --worktrees" 2015-06-29 08:48:44 -07:00
git-pull.txt pull --rebase: add --[no-]autostash flag 2016-03-21 13:30:36 -07:00
git-push.txt Merge branch 'jk/push-force-with-lease-creation' into maint 2016-09-08 21:35:53 -07:00
git-quiltimport.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-read-tree.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-rebase.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-receive-pack.txt *config.txt: stick to camelCase naming convention 2015-03-13 22:13:46 -07:00
git-reflog.txt git-reflog: add exists command 2015-07-21 14:08:14 -07:00
git-relink.txt
git-remote-ext.txt doc: add some crossrefs between manual pages 2014-11-11 14:47:04 -08:00
git-remote-fd.txt doc: add some crossrefs between manual pages 2014-11-11 14:47:04 -08:00
git-remote-helpers.txto Rename {git- => git}remote-helpers.txt 2013-02-01 14:12:34 -08:00
git-remote-testgit.txt Merge branch 'jk/remote-helpers-doc' 2013-02-07 14:41:45 -08:00
git-remote.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-repack.txt document git-repack interaction of pack.threads and pack.windowMemory 2016-08-10 10:55:13 -07:00
git-replace.txt doc: change environment variables format 2016-06-08 12:04:37 -07:00
git-request-pull.txt doc: show usage of branch description 2015-09-14 12:50:33 -07:00
git-rerere.txt *config.txt: stick to camelCase naming convention 2015-03-13 22:13:46 -07:00
git-reset.txt Merge branch 'jl/nor-or-nand-and' 2014-04-08 12:00:28 -07:00
git-rev-list.txt Merge branch 'jk/date-local' 2015-10-05 12:30:13 -07:00
git-rev-parse.txt rev-parse --parseopt: allow [*=?!] in argument hints 2015-07-15 10:30:54 -07:00
git-revert.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-rm.txt rm: better document side effects when removing a submodule 2014-01-07 14:34:06 -08:00
git-send-email.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-send-pack.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-sh-i18n--envsubst.txt
git-sh-i18n.txt
git-sh-setup.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-shell.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-shortlog.txt git-shortlog.txt: make SYNOPSIS match log, update OPTIONS 2013-04-21 23:11:02 -07:00
git-show-branch.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-show-index.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-show-ref.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-show.txt doc: convert \--option to --option 2015-05-12 22:14:46 -07:00
git-stage.txt Documentation: adjust document title underlining 2014-10-13 13:35:18 -07:00
git-stash.txt stash: allow "stash show" diff output configurable 2015-08-31 11:29:04 -07:00
git-status.txt Documentation: explain optional arguments better 2015-09-21 10:48:23 -07:00
git-stripspace.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-submodule.txt Merge branch 'sb/submodule-deinit-all' 2016-05-17 14:38:20 -07:00
git-svn.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-symbolic-ref.txt git symbolic-ref --delete $symref 2012-10-21 12:17:38 -07:00
git-tag.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-tools.txt Documentation/git-tools: retire manually-maintained list 2015-07-28 13:21:59 -07:00
git-unpack-file.txt
git-unpack-objects.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-update-index.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-update-ref.txt update-ref and tag: add --create-reflog arg 2015-07-21 14:08:35 -07:00
git-update-server-info.txt
git-upload-archive.txt Documentation: match underline with the text 2015-10-22 10:16:12 -07:00
git-upload-pack.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-var.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-verify-commit.txt Merge branch 'dn/gpg-doc' into maint 2016-07-06 13:06:36 -07:00
git-verify-pack.txt git-verify-pack.txt: fix inconsistent spelling of "packfile" 2015-05-17 11:24:57 -07:00
git-verify-tag.txt verify-tag: add option to print raw gpg status information 2015-06-22 14:20:47 -07:00
git-web--browse.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-whatchanged.txt whatchanged: document its historical nature 2013-08-13 09:01:54 -07:00
git-worktree.txt worktree: add: introduce --checkout option 2016-03-29 11:12:36 -07:00
git-write-tree.txt
git.txt Git 2.9.3 2016-08-12 09:17:51 -07:00
gitattributes.txt Merge branch 'jc/renormalize-merge-kill-safer-crlf' into maint 2016-09-08 21:35:52 -07:00
gitcli.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
gitcore-tutorial.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
gitcredentials.txt credential: let empty credential specs reset helper list 2016-02-26 10:58:14 -08:00
gitcvs-migration.txt doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
gitdiffcore.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
giteveryday.txt Documentation/everyday: match undefline with the text 2015-10-22 10:14:44 -07:00
gitglossary.txt doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
githooks.txt hooks: allow customizing where the hook directory is 2016-05-04 16:25:13 -07:00
gitignore.txt doc: change configuration variables format 2016-06-08 12:04:55 -07:00
gitk.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
gitmodules.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
gitnamespaces.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gitremote-helpers.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
gitrepository-layout.txt Documentation/git-worktree: wordsmith worktree-related manpages 2015-07-20 11:07:18 -07:00
gitrevisions.txt Documentation: match underline with the text 2015-10-22 10:16:12 -07:00
gittutorial-2.txt Merge branch 'sn/tutorial-status-output-example' 2014-11-19 13:47:59 -08:00
gittutorial.txt transport: drop support for git-over-rsync 2016-02-01 13:07:41 -08:00
gitweb.conf.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
gitweb.txt doc: change environment variables format 2016-06-08 12:04:37 -07:00
gitworkflows.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
glossary-content.txt Merge branch 'rn/glossary-typofix' into HEAD 2016-05-18 14:40:14 -07:00
howto-index.sh howto-index.sh: use the $( ... ) construct for command substitution 2014-04-17 11:14:57 -07:00
i18n.txt Documentation/i18n.txt: clarify character encoding support 2015-07-01 14:55:53 -07:00
install-doc-quick.sh
install-webdoc.sh install-webdoc.sh: use the $( ... ) construct for command substitution 2014-04-17 11:14:58 -07:00
line-range-format.txt Documentation: change -L:<regex> to -L:<funcname> 2015-04-20 11:05:50 -07:00
lint-gitlink.perl ci: validate "linkgit:" in documentation 2016-05-10 11:15:04 -07:00
mailmap.txt Merge branch 'jk/mailmap-from-blob' 2013-01-05 23:41:42 -08:00
Makefile Documentation/technical: describe signature formats 2016-06-17 11:39:05 -07:00
manpage-1.72.xsl
manpage-base-url.xsl.in Documentation: Avoid use of xmlto --stringparam 2009-12-05 10:03:49 -08:00
manpage-base.xsl
manpage-bold-literal.xsl
manpage-normal.xsl
manpage-quote-apos.xsl
manpage-suppress-sp.xsl
merge-config.txt doc: change environment variables format 2016-06-08 12:04:37 -07:00
merge-options.txt Merge branch 'kf/gpg-sig-verification-doc' 2016-05-17 14:38:39 -07:00
merge-strategies.txt merge-strategies.txt: fix typo 2016-02-22 10:42:52 -08:00
pretty-formats.txt doc/pretty-formats: explain shortening of %gd 2016-07-22 13:47:33 -07:00
pretty-options.txt Merge branch 'tr/doc-tt' into maint 2016-07-06 13:06:34 -07:00
pull-fetch-param.txt docs: Explain the purpose of fetch's and pull's <refspec> parameter. 2014-06-12 09:59:13 -07:00
rev-list-options.txt Merge branch 'jk/reflog-date' into maint 2016-09-08 21:35:52 -07:00
revisions.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
sequencer.txt
SubmittingPatches SubmittingPatches: use gitk's "Copy commit summary" format 2016-08-26 15:58:10 -07:00
urls-remotes.txt Documentation: match underline with the text 2015-10-22 10:16:12 -07:00
urls.txt transport: drop support for git-over-rsync 2016-02-01 13:07:41 -08:00
user-manual.conf
user-manual.txt documentation: fix some typos 2016-03-03 13:43:36 -08:00