Authentication allows access with any password!

FredrikNoren / ungit

The easiest way to use git. On any platform. Anywhere.

MIT License

10.44k stars 637 forks source link

Authentication allows access with any password! #227

Closed efi closed 10 years ago

efi commented 10 years ago

With an .ungitrc like this:

{
  "launchBrowser": false,
  "port": 8080,
  "authentication": true,
  "users": {
    "testuser": "doesitmatter?"
  },
  "bugtracking": false,
  "sendUsageStatistics": true
}

Anyone can login as "testuser" using any password (except for a blank one)...

This is a serious security flaw!

Ajedi32 commented 10 years ago

Uh... ungit is just a gui layer on top of git. I don't think it's possible for ungit to have a security flaw. Right?

efi commented 10 years ago

Not quite right, I think. I consider anybody being able to remotely browse my computer's directory structure and create (within some limits) arbitrary directories and load arbitrary files into that directory (and export my possibly private git repos without my consent),etc. to be a quite seriuos security flaw.

Ajedi32 commented 10 years ago

Ah, I see. You're talking about the case where you have enabled access to ungit from remote computers. I'd not thought of that use case.