SecurityTag
ActivePublic

Details

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity

Tue, Nov 21

quark.zju added a comment to T13012: Mercurial "--config" and "--debugger" command injection vulnerability.

That's a good point! I wish it was designed like that since the beginning. I guess it won't happen with the current compatibility rules since it is likely to break automation.

Tue, Nov 21, 11:03 PM · Mercurial, Security
epriestley added a comment to T13012: Mercurial "--config" and "--debugger" command injection vulnerability.

In theory, you could require --config appear between hg and foo in hg foo .... This is already a valid position for --config (for example, hg --config x=y foo is valid), and already not a valid position for foo flags (for example, hg --branch default log is not valid).

Tue, Nov 21, 9:26 PM · Mercurial, Security
quark.zju added a comment to T13012: Mercurial "--config" and "--debugger" command injection vulnerability.

https://phab.mercurial-scm.org/D1483 should make it possible to use -- to defend non-flag user input. For inputs that are flags, use the form --flag=X and avoid --flag X.

Tue, Nov 21, 9:09 PM · Mercurial, Security

Mon, Nov 13

epriestley closed T13012: Mercurial "--config" and "--debugger" command injection vulnerability as Resolved.

We'll use the hardened mode once it's available, but I don't think we expect to take any further action here until then.

Mon, Nov 13, 9:01 PM · Mercurial, Security

Fri, Nov 10

epriestley updated the task description for T13012: Mercurial "--config" and "--debugger" command injection vulnerability.
Fri, Nov 10, 5:04 PM · Mercurial, Security
epriestley updated the task description for T13012: Mercurial "--config" and "--debugger" command injection vulnerability.
Fri, Nov 10, 5:03 PM · Mercurial, Security
epriestley updated the task description for T13012: Mercurial "--config" and "--debugger" command injection vulnerability.
Fri, Nov 10, 4:58 PM · Mercurial, Security
epriestley updated the task description for T13012: Mercurial "--config" and "--debugger" command injection vulnerability.
Fri, Nov 10, 4:46 PM · Mercurial, Security
epriestley added a comment to T13012: Mercurial "--config" and "--debugger" command injection vulnerability.

This is now in master so I've made the task public.

Fri, Nov 10, 4:42 PM · Mercurial, Security
epriestley changed the visibility for T13012: Mercurial "--config" and "--debugger" command injection vulnerability.
Fri, Nov 10, 4:42 PM · Mercurial, Security
epriestley added a commit to T13012: Mercurial "--config" and "--debugger" command injection vulnerability: rPa7921a444809: Filter and reject "--config" and "--debugger" flags to Mercurial in any position.
Fri, Nov 10, 4:42 PM · Mercurial, Security
epriestley added a revision to T13012: Mercurial "--config" and "--debugger" command injection vulnerability: D18769: Filter and reject "--config" and "--debugger" flags to Mercurial in any position.
Fri, Nov 10, 4:22 PM · Mercurial, Security
epriestley added a comment to T13012: Mercurial "--config" and "--debugger" command injection vulnerability.

I don't want to leave RCE in Phabricator for 3 weeks, so I'm planning to land, deploy and disclose some version of the patch above today.

Fri, Nov 10, 4:05 PM · Mercurial, Security
epriestley added a comment to T13012: Mercurial "--config" and "--debugger" command injection vulnerability.

(I change visibility for this to @epriestley, @amckinley and @durin42 for now -- note that I intend to eventually make this issue public once the fix hits the commit log, so don't stockpile all your 0-days here.)

Fri, Nov 10, 3:50 PM · Mercurial, Security
epriestley shifted T13012: Mercurial "--config" and "--debugger" command injection vulnerability from the Restricted Space space to the S1 Core space.
Fri, Nov 10, 3:48 PM · Mercurial, Security

Oct 3 2017

bcooksley added a comment to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns.

Not a problem - thanks for fixing that so quickly.
I can confirm that fixed the issue for us.

Oct 3 2017, 8:40 AM · libphutil, Security

Oct 2 2017

epriestley added a commit to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns: rPHUf7b0855acf5a: (stable) Fix an exception in the hyperlink remarkup rule for unparseable URIs.
Oct 2 2017, 4:10 PM · libphutil, Security
epriestley added a commit to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns: rPHU20db87e17679: Fix an exception in the hyperlink remarkup rule for unparseable URIs.
Oct 2 2017, 4:10 PM · libphutil, Security
epriestley added a revision to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns: D18666: Fix an exception in the hyperlink remarkup rule for unparseable URIs.
Oct 2 2017, 2:14 PM · libphutil, Security

Sep 30 2017

epriestley added a comment to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns.

(I'll fix this if you don't get there first, but have used up all my brain energy for today. And thanks for the report!)

Sep 30 2017, 10:35 PM · libphutil, Security
epriestley added a comment to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns.

Would it be acceptable to change PhutilRemarkupHyperlinkRule to catch this exception and behave as if it were a non-whitelisted protocol? (Happy to draft the patch, just want to check before I do so)

Sep 30 2017, 10:32 PM · libphutil, Security
bcooksley added a comment to T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns.

This change creates a slight problem for us at KDE as we have some historical commits in our Subversion repository which have URLs in them which are invalid. This exception means that:

  • Herald spins forever trying to process these commits, failing every single time (currently up to 855 failures).
  • The commit can't be viewed in the browser (See https://phabricator.kde.org/R883:271607)
Sep 30 2017, 9:27 PM · libphutil, Security

Sep 29 2017

bgamari added a watcher for Security: bgamari.
Sep 29 2017, 4:07 PM

Sep 15 2017

Herald updated subscribers of T3684: Determine if we need to mitigate BREACH.
Sep 15 2017, 5:27 PM · Security
Herald updated subscribers of T3684: Determine if we need to mitigate BREACH.
Sep 15 2017, 5:27 PM · Security

Aug 22 2017

pouyana added a watcher for Security: pouyana.
Aug 22 2017, 12:26 PM

Aug 14 2017

epriestley closed T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`) as Resolved.

There doesn't seem to be anything actionable remaining on our end.

Aug 14 2017, 8:07 PM · Subversion, Mercurial, Git, Security

Aug 12 2017

epriestley added a comment to T9408: Upgrading: `dot` (Graphviz) support removed, changes to `figlet` and `cowsay`.

In https://hackerone.com/reports/259246 (not currently disclosed) a researcher found an actual issue with figlet. Although it would probably be hard to develop into a practical attack, it does make me feel better about the decision to pull all this stuff into PHP (not just dot) when the dot issue was originally identified.

Aug 12 2017, 11:02 PM · Remarkup, Security, Installing & Upgrading

Aug 11 2017

epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

This cropped up in the HN thread -- works in my browsers (although Phabricator does not recognize it as a valid link):

Aug 11 2017, 8:07 PM · Subversion, Mercurial, Git, Security
avivey added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

Thanks for the writeup :)

Aug 11 2017, 7:04 PM · Subversion, Mercurial, Git, Security
indygreg added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

The reason the upstream projects aren't using -- is that it isn't portable. For example, Putty's ssh doesn't support it.

Aug 11 2017, 3:45 PM · Subversion, Mercurial, Git, Security
epriestley updated the task description for T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).
Aug 11 2017, 1:41 PM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

The full set of mitigations is now available in stable, and I've promoted 2017 Week 32 (Mid August).

Aug 11 2017, 1:36 PM · Subversion, Mercurial, Git, Security
epriestley renamed T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`) from Assess Impact of CVE-2017-1000117 et al (`ssh://-...` executing code) to [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).
Aug 11 2017, 1:31 PM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

See also this enormously valuable contribution I made to the Git LFS upstream in connection with T7789 some time ago:

Aug 11 2017, 1:19 PM · Subversion, Mercurial, Git, Security
epriestley updated the task description for T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).
Aug 11 2017, 1:14 PM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

So, all three major VCS had the exact same CVE, which was "we invoke ssh command line, don't sanitize input, and don't specify -- anywhere"?

Aug 11 2017, 12:50 PM · Subversion, Mercurial, Git, Security
quark.zju added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

Thanks for the detailed explanations! I should have thought more carefully. Note old Mercurial also fails to do correct shell quoting on Windows (It uses ' where Windows needs "). But Phabricator does not run on Windows, it shouldn't be an issue.

Aug 11 2017, 3:22 AM · Subversion, Mercurial, Git, Security
avivey added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

So, all three major VCS had the exact same CVE, which was "we invoke ssh command line, don't sanitize input, and don't specify -- anywhere"?

Aug 11 2017, 2:53 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

@indygreg Thanks for the heads up about subrepos -- I would not have otherwise guessed that hg pull might run git.

Aug 11 2017, 2:40 AM · Subversion, Mercurial, Git, Security
epriestley updated the task description for T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).
Aug 11 2017, 2:24 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

From this writeup:

Aug 11 2017, 2:21 AM · Subversion, Mercurial, Git, Security
epriestley added a commit to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`): rP41e823796ac1: (stable) Stop populating or updating working copies in observed Mercurial….
Aug 11 2017, 2:17 AM · Subversion, Mercurial, Git, Security
epriestley added a commit to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`): rP2c150076b00f: Stop populating or updating working copies in observed Mercurial repositories.
Aug 11 2017, 2:15 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

The magic incantation I arrived at was slightly modified from one of the hg test cases:

Aug 11 2017, 2:14 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

Never mind, I was able to get hg pull -u to interact. I'm going to land, cherry-pick, and hotfix D18390.

Aug 11 2017, 2:12 AM · Subversion, Mercurial, Git, Security
cspeckmim added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

I think this is related:
https://www.mercurial-scm.org/wiki/Subrepository#Synchronizing_in_subrepositories

Aug 11 2017, 2:10 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

And here's an extension which appears to be aimed at solving this problem, by adding a new command to execute hg pull -u in subrepositories:

Aug 11 2017, 2:04 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

Also, although ui.ssh appears inneffective against the [git] and [svn] variants of subrepos (Mercurial does not appear to populate GIT_SSH or SVN_SSH based on the ui.ssh setting), I can't get hg to actually interact with remotes using hg clone --noupdate ... or hg pull -u -- <uri>, which are the only relevant commands we run. I can get it to interact with remotes with hg up or hg clone (without --noupdate).

Aug 11 2017, 1:56 AM · Subversion, Mercurial, Git, Security
epriestley added a comment to T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).

In the example above, I put malicious content in .hgsub, like this:

Aug 11 2017, 1:32 AM · Subversion, Mercurial, Git, Security