Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orion-dev] Does Orion check for the protocol when cloning from a git repo

Thanks Christian,

That's not at all the intention and definitely a security problem. On OrionHub or a site setup with public access the intention is to allow sharing of a repo or workspace but the file layout should of course never be exposed and use of file URLs forbidden.
See Bug 408270 - Git clone MUST forbid use of file urls and other unexpected schemes with a whitelist
-Simon

Inactive hide details for "Halstrick, Christian" ---05/16/2013 08:41:19 AM---Hi, While playing with orions "clone from git repo"Halstrick, Christian" ---05/16/2013 08:41:19 AM---Hi, While playing with orions "clone from git repository" functionality I found out my local orion i


    From:

"Halstrick, Christian" <christian.halstrick@xxxxxxx>

    To:

"orion-dev@xxxxxxxxxxx" <orion-dev@xxxxxxxxxxx>,

    Date:

05/16/2013 08:41 AM

    Subject:

[orion-dev] Does Orion check for the protocol when cloning from a git repo

    Sent by:

orion-dev-bounces@xxxxxxxxxxx




Hi,

While playing with orions "clone from git repository" functionality I found out my local orion instance clones from URLs like 'file:/home/user/dondalfi'. With that I get access to all git repos hosted on the machine running the orion server. That's a security hole, or? Is it only that my local orion which can do that or  is it also true for orionhub.org?

Ciao
 Chris

_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev



GIF image

GIF image


Back to the top