Date: Thu, 29 Sep 2016 17:40:04 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: git-hub: missing sanitization of data received from GitHub git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git command-line interface to GitHub. When you ask it to clone a repository, it will call: git clone <repourl> <reponame> where both <repourl> and <reponame> come from GitHub API, without any sanitization. Operators of the GitHub server (or a MitM attacker[*]) could exploit it for directory traversal or, more excitingly, for arbitrary code execution, either via option injection, e.g.: git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl or more directly with git-remote-ext, e.g.: git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo Upstream bug report: https://github.com/sociomantic-tsunami/git-hub/issues/197 [*] git-hub is implemented in Python, which didn't verify HTTPS certificates before 2.7.9; and git-hub doesn't enable verification on its own either. -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.