1. 10 Dec, 2019 2 commits
    • Disallow NTFS Alternate Data Stream attacks, even on Linux/macOS · 3f7851ea
      A little-known feature of NTFS is that it offers to store metadata in
      so-called "Alternate Data Streams" (inspired by Apple's "resource
      forks") that are copied together with the file they are associated with.
      These Alternate Data Streams can be accessed via `<file name>:<stream
      name>:<stream type>`.
      
      Directories, too, have Alternate Data Streams, and they even have a
      default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
      `abc::$INDEX_ALLOCATION/` are actually equivalent.
      
      This is of course another attack vector on the Git directory that we
      definitely want to prevent.
      
      On Windows, we already do this incidentally, by disallowing colons in
      file/directory names.
      
      While it looks as if files'/directories' Alternate Data Streams are not
      accessible in the Windows Subsystem for Linux, and neither via
      CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
      them on SMB-mounted network shares on macOS.
      
      Therefore, let's go the extra mile and prevent this particular attack
      _everywhere_. To keep things simple, let's just disallow *any* Alternate
      Data Stream of `.git`.
      
      This is libgit2's variant of CVE-2019-1352.
      
      Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      Johannes Schindelin committed
    • Protect against 8.3 "short name" attacks also on Linux/macOS · 64c612cc
      The Windows Subsystem for Linux (WSL) is getting increasingly popular,
      in particular because it makes it _so_ easy to run Linux software on
      Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to
      `/mnt/c/`, no need to set that up manually).
      
      Unfortunately, files/directories on the Windows drives can be accessed
      via their _short names_, if that feature is enabled (which it is on the
      `C:` drive by default).
      
      Which means that we have to safeguard even our Linux users against the
      short name attacks.
      
      Further, while the default options of CIFS/SMB-mounts seem to disallow
      accessing files on network shares via their short names on Linux/macOS,
      it _is_ possible to do so with the right options.
      
      So let's just safe-guard against short name attacks _everywhere_.
      
      Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      Johannes Schindelin committed
  2. 20 Jul, 2019 1 commit
  3. 10 Jun, 2018 1 commit
  4. 23 May, 2018 1 commit
  5. 22 May, 2018 1 commit
  6. 04 Feb, 2015 1 commit
  7. 03 Feb, 2015 1 commit
  8. 30 Jan, 2015 1 commit
  9. 20 Jan, 2015 1 commit
  10. 17 Dec, 2014 1 commit
  11. 16 Dec, 2014 2 commits
    • checkout: disallow bad paths on HFS · 11d67b75
      HFS filesystems ignore some characters like U+200C.  When these
      characters are included in a path, they will be ignored for the
      purposes of comparison with other paths.  Thus, if you have a ".git"
      folder, a folder of ".git<U+200C>" will also match.  Protect our
      ".git" folder by ensuring that ".git<U+200C>" and friends do not match it.
      Edward Thomson committed
    • checkout: disallow bad paths on win32 · a64119e3
      Disallow:
       1. paths with trailing dot
       2. paths with trailing space
       3. paths with trailing colon
       4. paths that are 8.3 short names of .git folders ("GIT~1")
       5. paths that are reserved path names (COM1, LPT1, etc).
       6. paths with reserved DOS characters (colons, asterisks, etc)
      
      These paths would (without \\?\ syntax) be elided to other paths - for
      example, ".git." would be written as ".git".  As a result, writing these
      paths literally (using \\?\ syntax) makes them hard to operate with from
      the shell, Windows Explorer or other tools.  Disallow these.
      Edward Thomson committed