[darcs-users] darcs patch: Extended DARCS_GET_FOO example.
Trent W. Buck
trentbuck at gmail.com
Wed Jun 24 03:19:56 UTC 2009
Reinier Lamers <tux_rocker at reinier.de> writes:
> Hi all,
>
> On Sunday 21 June 2009 20:06:54 Eric Kow wrote:
>> On Sun, Jun 21, 2009 at 23:10:59 +1000, Trent W.Buck wrote:
>> > Incidentally, it looks like when "darcs push" calls "darcs apply" on
>> > the remote end, it assumes that the repository path contains no
>> > apostrophes. THIS IS AN INJECTION ATTACK in the case where you give
>> > someone permission to "darcs push" to your ssh server, but do not give
>> > them a full shell.
>>
>> Sounds like one for the bug tracker at least.
>> Is this something that we should consider to be urgent?
>
> Seems to me that that depends on whether we ever advertised that
> 'darcs push' rights can be given independently from full shell
> rights. There are awfully many creepholes to get a full shell when you
> can execute another command, so if the darcs documentation stays
> silent about it, a sysadmin should not assume that it is safe to let
> untrusted people use darcs-over-ssh.
>
> Another creephole I can think of is pushing a patch that sets the test
> pref to a non-darcs command. And then there are pre- and
> posthooks. Has anyone ever tried to lock down all of that? Otherwise
> we should just tell people that giving someone push rights equals
> giving shell rights.
I agree with everything Reinier says above.
More information about the darcs-users
mailing list