New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 10262 link

Starred by 2 users

Issue metadata

Status: Released
Owner: ----
Closed: Jan 11
Cc:



Sign in to add a comment

AdvertiseRefsHook is not called for git-upload-pack in protocol v0 stateless transports

Project Member Reported by david.pu...@gmail.com, Jan 6

Issue description

*****************************************************************
*****                                                       *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!  *****
*****                                                       *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD,  *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
*****                                                       *****
*****   THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS     *****
*****                                                       *****
*****************************************************************

Affected Version: 2.9 and later


As reported by Jonathan Nieder:

In protocol v0 bidirectional transports, the AdvertiseRefsHook is called at ref advertisement time and all is well. But in protocol v0 HTTP, we're not seeing the AdvertiseRefsHook called anywhere for the /git-upload-pack request, meaning that wants aren't validated and I can fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as I can guess the object name.


 
Labels: NonPublic
Project Member

Comment 2 by jrn@google.com, Jan 7

Cc: ifrade@google.com masayasuzuki@google.com matthias...@gmail.com
What are the remaining steps before we can announce and release this?

Is this waiting on somebody verifying the changes at https://gerrit-review.googlesource.com/q/hashtag:"jgitupgradedec2018"?
Project Member

Comment 3 by jrn@google.com, Jan 7

Cc: mthai@google.com
Status: ChangeUnderReview (was: New)
Project Member

Comment 5 by jrn@google.com, Jan 7

When I view https://gerrit-review.googlesource.com/c/gerrit/+/208837, submitted_together says "+ 16 non-visible changes".
Sorry about that.  I've added you as reviewer on the other changes in that set.
> Is this waiting on somebody verifying the changes at https://gerrit-review.googlesource.com/q/hashtag:"jgitupgradedec2018"?

Yes.

Given that it's the same fix in all of them, it should be safe enough to verify on one of them and then carry the score over to all the others.

I can try to test it tomorrow if you can provide steps how to do it.

It would be better though if we can write an integration test on the earliest stable branch and then merge that up through the subsequent branches.
Labels: FixedIn-2.12.9 FixedIn-2.9.5 FixedIn-2.14.18 FixedIn-2.16.3 FixedIn-2.15.8 FixedIn-2.11.12 FixedIn-2.10.8 FixedIn-2.13.12
Status: Released (was: ChangeUnderReview)
Labels: -Security -NonPublic -Restrict-View-SecurityIssue
Removing the visibility restriction now that the issue is fixed.
Summary: AdvertiseRefsHook is not called for git-upload-pack in protocol v0 stateless transports (was: AdvertiseRefsHook is not called for git-upload-pack in protocol v0 bidirectional transports)

Sign in to add a comment