|
From: | Jim Hyslop |
Subject: | Re: GPG-Signed Commits and RCS Keyword exploit [long] |
Date: | Thu, 22 Sep 2005 10:48:33 -0400 |
User-agent: | Mozilla Thunderbird 1.0.6 (Windows/20050716) |
Derek Price wrote:
Jim Hyslop wrote:Either way, if the server is compromised, the local file ends up containing the exploit.Yes, but if I ignore keyword expansion entirely (other than giving a warning or error when keywords are present in the file at commit time), then you won't have a CVS executable that tells you you have a valid, signed, base revision just before it installs compromised code in your sandbox.
I'm working up a discussion paper, which outlines various attacks and compares how the two approaches can detect them. In order to do this properly, I need to know exactly how you propose to ignore RCS keywords (it's glossed over in the discussion document on the wiki).
Suppose I have rev 1.2 of a file checked out, and it contains: #include <stdio.h> int main( int argc, char ** argv ) { printf("Hello, revision $Revision: 1.2$\n"); return 0; }will this be signed as if I am checking in the un-expanded keyword, i.e. as if the file contains:
#include <stdio.h> int main( int argc, char ** argv ) { printf("Hello, revision $Revision$\n"); return 0; } -- Jim
[Prev in Thread] | Current Thread | [Next in Thread] |