Change Details

Still unrolling this: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html https://github.com/git/git/commit/4274c698f46a9bc45834c4904e7e113450c042fb

Until releases today, Git, Mercurial and Subversion //all// mishandled SSH URIs in the form `ssh://-flag=evil/...`, and would invoke `ssh` in such a way that the domains in these URIs were interpreted as flags by SSH. From there, certain combinations of flags, like `-oProxyCommand=curl...` could cause the SSH subprocess to do materially harmful things (e.g., take over the host). Phabricator does not appear to be vulnerable to these attacks: - We are relatively strict about host/domain parsing. Although we allow `-` to appear in domain names, we forbid characters like `=`, `|`, and `$` from appearing in domain names, limiting the reach of this attack. - We wrap `ssh` at the VCS level and separate flags and hosts with a `--` ("end of arguments") argument, disambiguating the argument parsing and defusing this attack. - After D18388 (in `master` now, and in `stable` after August 11th) we've further increased the strictness of hostname parsing, but this is just a general hardening measure. Out-of-date clients may be vulnerable (for example, if an attacker can convince you to clone from a specially formatted malicious URI), and you should upgrade `git`, `hg` and `svn` on client systems to defuse versions of this attack which target clients. It couldn't hurt to upgrade them on server hosts too, of course. --- //Originally// Still unrolling this: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html https://github.com/git/git/commit/4274c698f46a9bc45834c4904e7e113450c042fb

Until releases today, Git, Mercurial and Subversion //all// mishandled SSH URIs in the form `ssh://-flag=evil/...`, and would invoke `ssh` in such a way that the domains in these URIs were interpreted as flags by SSH. From there, certain combinations of flags, like `-oProxyCommand=curl...` could cause the SSH subprocess to do materially harmful things (e.g., take over the host). Phabricator does not appear to be vulnerable to these attacks: - We are relatively strict about host/domain parsing. Although we allow `-` to appear in domain names, we forbid characters like `=`, `|`, and `$` from appearing in domain names, limiting the reach of this attack. - We wrap `ssh` at the VCS level and separate flags and hosts with a `--` ("end of arguments") argument, disambiguating the argument parsing and defusing this attack. - After D18388 (in `master` now, and in `stable` after August 11th) we've further increased the strictness of hostname parsing, but this is just a general hardening measure. Out-of-date clients may be vulnerable (for example, if an attacker can convince you to clone from a specially formatted malicious URI), and you should upgrade `git`, `hg` and `svn` on client systems to defuse versions of this attack which target clients. It couldn't hurt to upgrade them on server hosts too, of course. --- //Originally// Still unrolling this: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html https://github.com/git/git/commit/4274c698f46a9bc45834c4904e7e113450c042fb