[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] hang on Win32/MinGW with sync file:
|
From: |
Nathaniel Smith |
|
Subject: |
Re: [Monotone-devel] hang on Win32/MinGW with sync file: |
|
Date: |
Tue, 4 Dec 2007 00:16:54 +0000 |
|
User-agent: |
Mutt/1.5.13 (2006-08-11) |
On Mon, Dec 03, 2007 at 07:04:28PM -0500, Stephen Leake wrote:
> Although I think using sockets would open up a security hole; file:
> runs the server with --no-transport-auth. So for a brief time an
> external machine could attach to the server.
Surely win32 sockets can be bound to loopback, so only local processes
can connect? That doesn't *fully* close the hole, but it helps.
What would fully close the hole would be to generate a random nonce,
and send it over the socket as the first thing we do -- since we hold
both ends of the socket, we know what random nonce to expect, but
no-one else would. This could be fully hidden within the "socketpair"
code (i.e., it would transmit and receive the nonce to check the
connection before returning the sockets).
-- Nathaniel
--
Eternity is very long, especially towards the end.
-- Woody Allen
- [Monotone-devel] hang on Win32/MinGW with sync file:, Stephen Leake, 2007/12/02
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Stephen Leake, 2007/12/04
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Matthew Gregan, 2007/12/04
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Zack Weinberg, 2007/12/04
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Matthew Gregan, 2007/12/04
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Zack Weinberg, 2007/12/04
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Stephen Leake, 2007/12/04
- Re: [Monotone-devel] hang on Win32/MinGW with sync file:, Zack Weinberg, 2007/12/04