rpms / mercurial

Clone
Source Code
GIT

Files

el4 el5 epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   f23
  2.   3-subrepo-set-GIT_ALLOW_PROTOCOL-to-limit-git-clone-protocols.diff
Blob Blame History Raw 
# HG changeset patch
# User Mateusz Kwapich <mitrandir@fb.com>
# Date 1458535941 25200
#      Sun Mar 20 21:52:21 2016 -0700
# Branch stable
# Node ID 34d43cb85de8d06764039d8868eee19d00fddeab
# Parent  b9714d958e89cd6ff1da46b46f39076c03325ac7
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)

CVE-2016-3068 (1/1)

Git's git-remote-ext remote helper provides an ext:: URL scheme that
allows running arbitrary shell commands. This feature allows
implementing simple git smart transports with a single shell shell
command. However, git submodules could clone arbitrary URLs specified
in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
in git v2.6.1.

However, if a user directly clones a malicious ext URL, the git client
will still run arbitrary shell commands.

Mercurial is similarly effected. Mercurial allows specifying git
repositories as subrepositories. Git ext:: URLs can be specified as
Mercurial subrepositories allowing arbitrary shell commands to be run
on `hg clone ...`.


The Mercurial community would like to thank Blake Burkhart for
reporting this issue. The description of the issue is copied from
Blake's report.

This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
variable to git commands  with the same list of allowed protocols that
git submodule is using.

When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
to git without modifications.

diff --git a/mercurial/subrepo.py b/mercurial/subrepo.py
--- a/mercurial/subrepo.py
+++ b/mercurial/subrepo.py
@@ -1383,6 +1383,11 @@ class gitsubrepo(abstractsubrepo):
         are not supported and very probably fail.
         """
         self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
+        if env is None:
+            env = os.environ.copy()
+        # fix for Git CVE-2015-7545
+        if 'GIT_ALLOW_PROTOCOL' not in env:
+            env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
         # unless ui.quiet is set, print git's stderr,
         # which is mostly progress and useful info
         errpipe = None
diff --git a/tests/test-subrepo-git.t b/tests/test-subrepo-git.t
--- a/tests/test-subrepo-git.t
+++ b/tests/test-subrepo-git.t
@@ -1132,4 +1132,36 @@ make sure we show changed files, rather 
   ? s/foobar.orig
   ? s/snake.python.orig
 
+test for Git CVE-2016-3068
+  $ hg init malicious-subrepository
+  $ cd malicious-subrepository
+  $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub
+  $ git init s
+  Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/
+  $ cd s
+  $ git commit --allow-empty -m 'empty'
+  [master (root-commit) 153f934] empty
   $ cd ..
+  $ hg add .hgsub
+  $ hg commit -m "add subrepo"
+  $ cd ..
+  $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected
+  Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...
+  fatal: transport 'ext' not allowed
+  updating to branch default
+  cloning subrepo s from ext::sh -c echo% pwned% >&2
+  abort: git clone error 128 in s (in subrepo s)
+  [255]
+
+whitelisting of ext should be respected (that's the git submodule behaviour)
+  $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed
+  Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'...
+  pwned
+  fatal: Could not read from remote repository.
+  
+  Please make sure you have the correct access rights
+  and the repository exists.
+  updating to branch default
+  cloning subrepo s from ext::sh -c echo% pwned% >&2
+  abort: git clone error 128 in s (in subrepo s)
+  [255]
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.