Re: [PATCH] Allow aliases to expand to shell commands

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Johannes Schindelin <Johannes.Schindelin@...>

To: Theodore Tso <tytso@...>

Cc: Junio C Hamano <junkio@...>, <git@...>

Subject: Re: [PATCH] Allow aliases to expand to shell commands

Date: Saturday, February 10, 2007 - 4:34 pm

Hi,
On Sat, 10 Feb 2007, Theodore Tso wrote:
> diff --git a/git.c b/git.c

quoted text> index c43d4ff..fc08396 100644

> --- a/git.c

> +++ b/git.c

> @@ -159,6 +159,16 @@ static int handle_alias(int *argcp, const char ***argv)

>  	alias_command = (*argv)[0];

>  	git_config(git_alias_config);

>  	if (alias_string) {

> +		if (alias_string[0] == '!') {

> +			trace_printf("trace: alias to shell cmd: %s => %s\n",

> +				     alias_command, alias_string+1);
Here, you add 1 to alias string (though I would put spaces around the

plus, but that's really a nit).
> +			ret = system(alias_string+1);

quoted text> +			if (ret >= 0 && WIFEXITED(ret) &&

> +			    WEXITSTATUS(ret) != 127)

> +				exit(WEXITSTATUS(ret));

> +			die("Failed to run '%s' when expanding alias '%s'\n",

> +			    alias_string, alias_command);
So, shouldn't you here, too?
It made me feel a little uneasy that we can execute _any_ command now, but

I can only find one way to exploit this, when an attacker does not have

shell access anyway: git-shell.
Ciao,

Dscho
-

To unsubscribe from this list: send the line "unsubscribe git" in

the body of a message to majordomo@vger.kernel.org

More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Git rescue mission, Bill Lear, (Wed Feb 7, 8:18 pm)

Re: Git rescue mission, Linus Torvalds, (Thu Feb 8, 1:27 pm)

Re: Git rescue mission, Kalle Pokki, (Thu Feb 8, 4:12 pm)

Re: Git rescue mission, Linus Torvalds, (Thu Feb 8, 5:23 pm)

Re: Git rescue mission, Kalle Pokki, (Thu Feb 8, 6:03 pm)

Re: Git rescue mission, Shawn O. Pearce, (Thu Feb 8, 6:10 pm)

Re: Git rescue mission, Kalle Pokki, (Fri Feb 9, 3:21 pm)

Re: Git rescue mission, Theodore Tso, (Thu Feb 8, 9:48 pm)

Re: Git rescue mission, Shawn O. Pearce, (Thu Feb 8, 9:58 pm)

Re: Git rescue mission, Theodore Ts'o, (Sat Feb 10, 12:05 pm)

[PATCH] Print a sane error message if an alias expands to an..., Theodore Ts'o, (Sat Feb 10, 12:05 pm)

Re: [PATCH] Print a sane error message if an alias expands t..., Junio C Hamano, (Sat Feb 10, 12:50 pm)

[PATCH] Allow aliases to expand to shell commands, Theodore Ts'o, (Sat Feb 10, 12:05 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Theodore Tso, (Sat Feb 10, 2:13 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Johannes Schindelin, (Sat Feb 10, 4:34 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Theodore Tso, (Sat Feb 10, 8:13 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Johannes Schindelin, (Sun Feb 11, 12:03 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Theodore Tso, (Sun Feb 11, 12:21 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Junio C Hamano, (Sun Feb 11, 5:44 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Theodore Tso, (Sun Feb 11, 11:56 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Shawn O. Pearce, (Mon Feb 12, 2:53 am)

Re: [PATCH] Allow aliases to expand to shell commands, Johannes Schindelin, (Sun Feb 11, 6:03 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Johannes Schindelin, (Sun Feb 11, 12:36 pm)

Re: [PATCH] Allow aliases to expand to shell commands, Linus Torvalds, (Sat Feb 10, 2:04 pm)

Re: Git rescue mission, Bill Lear, (Thu Feb 8, 5:57 pm)

Re: Git rescue mission, Linus Torvalds, (Thu Feb 8, 6:13 pm)

Re: Git rescue mission, Junio C Hamano, (Fri Feb 9, 12:38 am)

Re: Git rescue mission, Bill Lear, (Thu Feb 8, 7:25 pm)

Re: Git rescue mission, Linus Torvalds, (Thu Feb 8, 7:46 pm)

Re: Git rescue mission, Shawn O. Pearce, (Thu Feb 8, 7:33 pm)

Re: Git rescue mission, Bill Lear, (Thu Feb 8, 7:40 pm)

Re: Git rescue mission, Linus Torvalds, (Thu Feb 8, 8:17 pm)

Re: Git rescue mission, Michael S. Tsirkin, (Fri Feb 9, 4:58 am)

Re: Git rescue mission, Jakub Narebski, (Thu Feb 8, 8:03 pm)

Re: Git rescue mission, Shawn O. Pearce, (Thu Feb 8, 7:50 pm)

Re: Git rescue mission, Bill Lear, (Thu Feb 8, 6:33 pm)

Re: Git rescue mission, Jakub Narebski, (Thu Feb 8, 6:29 pm)

Re: Git rescue mission, Johannes Schindelin, (Wed Feb 7, 8:22 pm)

Re: Git rescue mission, Bill Lear, (Wed Feb 7, 8:24 pm)

Re: Git rescue mission, Johannes Schindelin, (Wed Feb 7, 8:25 pm)

Re: Git rescue mission, Bill Lear, (Wed Feb 7, 8:34 pm)

Re: Git rescue mission, Junio C Hamano, (Wed Feb 7, 8:48 pm)

Re: Git rescue mission, Alexander Litvinov, (Thu Feb 8, 12:28 am)

Re: Git rescue mission, Junio C Hamano, (Thu Feb 8, 8:53 pm)

Re: Git rescue mission, Alexander Litvinov, (Thu Feb 8, 11:32 pm)

Re: Git rescue mission, Bill Lear, (Thu Feb 8, 11:27 am)

Re: Git rescue mission, Jeff King, (Thu Feb 8, 7:24 pm)

Re: Git rescue mission, Bill Lear, (Thu Feb 8, 7:32 pm)


linux-kernel:
Rafael J. Wysocki	[Bug #10493] mips BCM47XX compile error
Ingo Molnar	[patch 02/13] syslets: add syslet.h include file, user API/ABI definitions
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Andrea Arcangeli	[PATCH 00 of 11] mmu notifier #v16
git:

linux-netdev:
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Linus Torvalds	Re: [GIT]: Networking
Mark Lord	Re: [BUG] New Kernel Bugs
openbsd-misc:

Re: [PATCH] Allow aliases to expand to shell commands

Online users