Community
Participate
Working Groups
Christian Halstrick noticed... While playing with orions "clone from git repository" functionality I found out my local orion instance clones from URLs like 'file:/home/user/dondalfi'. With that I get access to all git repos hosted on the machine running the orion server. That's a security hole, or? Is it only that my local orion which can do that or is it also true for orionhub.org? -- This is indeed a problem that needs immediate attention. We need to first explicitly forbid file urls but also should only accept urls from a set of white-listed schemes.
I pushed a fix to github: "Bug 408270 - only allow whitelisted URI schemes" https://github.com/msohn/orion.server/commit/f35d17158daba51c72249f431f1935eb70cee746
Thanks Matthias - I've pushed the change. Could you please add the provenance blurb when you get a moment. (e.g. I assert that I authored...)
From tonights build http://download.eclipse.org/orion/drops/I201305162230/org.eclipse.orion.server.tests.AllServerTests.html
Yup, I didn't want to go to bed anyway... the fix is still valid
Tests fixed. I was getting a failure for GitCloneTest.testDeleteInProject but this did not seem to be related to this fix. The test passed when run in isolation but failed when there was another project entry in the workspace.
I authored 100% of this fix, have the rights to donate the content to Eclipse and contribute the content under the EPL
