Security implications of fetching server content via checksum
From: Hyrum K. Wright <hyrum_wright_at_mail.utexas.edu>
Date: Tue, 30 Mar 2010 13:17:00 -0500
[I'm writing this now because the thoughts are fresh, and the list archive lasts forever. This isn't really an issue until later releases, since we've currently no way to achieve this theoretical behavior. Feel free to comment, but it won't hurt my feelings if this languishes for a while.]
In New York last week, we talked a little bit about Editor v2 (Ev2), and the fetching of content from the server by SHA-1. One of the benefits of wc-ng, and something that will be enabled by Ev2, is the ability for the client to request, and the server to send, content out-of-band. By using SHA-1 hashes for content identification, clients will only need to request content they don't already have, such as the case where a pristine store already has most of the required content for an update or a checkout.
This works fine when the repository is considered world-readable, but what happens for a repository with path-based access control? What will prevent a reader from requesting content via SHA-1 that is should not have access to? Sure, the odds of randomly guessing the SHA-1 for a protected path are pretty low, but some of our more paranoid users would prefer that it isn't even a possibility. What if said content were both readable, as well as protected by path-based authz?
Anyway, just some thoughts, and if my logic has some gaping holes, I'd love to know about 'em!
This is an archived mail posted to the Subversion Dev mailing list.