On Thu, Dec 01, 2016 at 04:03:37AM -0500, Jeff King wrote: > Jann Horn brought up on the git-security list some interesting > social-engineering attacks around the way Git handles HTTP redirects. > These patches are my attempt to harden our redirect handling against > these attacks.
There's one other possible attack I thought of while discussing [1], that is worth mentioning. We limited the number of http redirects in b25811646 (http: limit redirection depth, 2015-09-22). But what about http-alternates? Could you redirect to yourself via http-alternates and convince a client to loop infinitely? It looks like no, because we do not seem to handle recursive alternates at all in the http walker. Which means that repositories with recursive local alternates cannot be fetched over dumb-http. But it also means that we don't have to worry about limiting the recursion depth. -Peff [1] http://public-inbox.org/git/fe33de5b5f0b3da68b249cc4a49a6d7@3c843fe6ba8f3c586a21345a2783aa0/
