Until releases today, Git, Mercurial and Subversion //all// mishandled SSH URIs in the form `ssh://-flag=evil/...`, and would invoke `ssh` in such a way that the domains in these URIs were interpreted as flags by SSH.
From there, certain combinations of flags, like `-oProxyCommand=curl...` could cause the SSH subprocess to do materially harmful things (e.g., take over the host).
Phabricator does not appear to be vulnerable to these attacks:For a primary source, see:
- We are relatively strict about host/domain parsing. Although we allow `-` to appear in domain names, we forbid characters like `=`, `|`, and `$` from appearing in domain names, limiting the reach of this attack.
- We wrap `ssh` at the VCS level and separate flags and hosts with a `--` ("end of arguments") argument, disambiguating the argument parsing and defusing this attack.
- After D18388 (in `master` now, and in `stable` after August 11th) we've further increased the strictness of hostname parsing, but this is just a general hardening measure.http://blog.recurity-labs.com/2017-08-10/scm-vulns
Out-of-date clients may be vulnerable (for exampleThese issues are complex. Generally, if an attacker can convince you to clone from a specially formatted malicious URI)all installs should upgrade Phabricator, and you should upgrade `git`Git, `hg` and `svn` on client systems to defuse versions of this attack which target clients.Mercurial, It couldn't hurt to upgrade them on server hosts too,and Subversion immediately. of courseThe remainder of this task discusses how Phabricator is impacted in more detail.
---
//Originally//
Still unrolling this:
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html
https://github.com/git/git/commit/4274c698f46a9bc45834c4904e7e113450c042fb