[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [orion-dev] Does Orion check for the protocol when cloning from a git repo
|
Thanks Christian,
That's not at all the intention and definitely a security problem. On OrionHub or a site setup with public access the intention is to allow sharing of a repo or workspace but the file layout should of course never be exposed and use of file URLs forbidden.
See Bug 408270 - Git clone MUST forbid use of file urls and other unexpected schemes with a whitelist
-Simon
![Inactive hide details for "Halstrick, Christian" ---05/16/2013 08:41:19 AM---Hi, While playing with orions "clone from git repo]()
"Halstrick, Christian" ---05/16/2013 08:41:19 AM---Hi, While playing with orions "clone from git repository" functionality I found out my local orion i
![]()
| ![]()
"Halstrick, Christian" <christian.halstrick@xxxxxxx> |
![]()
| ![]()
"orion-dev@xxxxxxxxxxx" <orion-dev@xxxxxxxxxxx>, |
![]()
| ![]()
05/16/2013 08:41 AM |
![]()
| ![]()
[orion-dev] Does Orion check for the protocol when cloning from a git repo |
![]()
| ![]()
orion-dev-bounces@xxxxxxxxxxx |
Hi,
While playing with orions "clone from git repository" functionality I found out my local orion instance clones from URLs like 'file:/home/user/dondalfi'. With that I get access to all git repos hosted on the machine running the orion server. That's a security hole, or? Is it only that my local orion which can do that or is it also true for orionhub.org?
Ciao
Chris
_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev
