I have pm-ed someone on this matter.. but basically the fix is just a matter of rewording:-
'We cannot find the public repo (note that you have not logged in). If you are accessing a private repo, then please login first'.
So this way, if a user want to brute force to check if the repo exist, he/she has no idea whether the brute force actually result in something. So security-wise, it is still good.
Announcement
Collapse
No announcement yet.
Unreal Engine 4 and Linux
Collapse
X
-
StrangerGwenn repliedYou can't ever have a different behaviour on a private repo and a non-existing repo because it confirms its existence and can be bruteforced.
Are we done on this ? This isn't the place to discuss the secucity and convenience of GitHub, especially for explaining the same thing over and over. Please ?Last edited by StrangerGwenn; 07-11-2017, 01:58 AM.
Leave a comment:
-
Syed repliedOriginally posted by Gwenn View PostI understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like "unrealengine5" or "halflife3", and by getting a login prompt, you would know that such a repository exists.
This isn't dumb at all.
Leave a comment:
-
UnrealEnterprise repliedOriginally posted by Gwenn View Postbut if Microsoft has a WindowsWithLinuxKernel repo, that's probably not information they want to be public. Private means private.
Plus surely leaks like this put everything else into perspective etc...
Originally posted by Gwenn View PostCan we go back to Linux discussions instead of feature requests for GitHub ?
Leave a comment:
-
StrangerGwenn repliedI just explained it - if it returned a different code than 404, you could automatically generate a list of private repositories for an organization by just probing all possible URLs. While not a real risk in the classical sense, it's still private information. Everyone knows Epic has an UnrealEngine repo, but if Microsoft has a WindowsWithLinuxKernel repo, that's probably not information they want to be public. Private means private.
Go to GitHub's issue tracker to see other people say the same thing (one with the same Half-Life 3 example I jokingly gave above) : https://github.com/dear-github/dear-github/issues/162
Can we go back to Linux discussions instead of feature requests for GitHub ?
Leave a comment:
-
UnrealEnterprise repliedOriginally posted by Gwenn View PostI understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like "unrealengine5" or "halflife3", and by getting a login prompt, you would know that such a repository exists. This isn't dumb at all.
But are Github paths like probing existing Logins?
Its not like malware probing 135 / 445 open ports...
What use would that information really be Gwenn?
Explain to us where you see the real security risks...
Leave a comment:
-
StrangerGwenn repliedI understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like "unrealengine5" or "halflife3", and by getting a login prompt, you would know that such a repository exists.
This isn't dumb at all.
Leave a comment:
-
Syed repliedI think what he meant was the error should be 'Please login first' instead of 404 error (which doesn't look professional).
Leave a comment:
-
StrangerGwenn repliedIt's not dumb, it's basic safety. You're not going to give away the existence of a file by outputting a different error if it does exists.
Leave a comment:
-
UnrealEnterprise repliedOriginally posted by Gwenn View PostWell, are you logged in ?
How does Github distinguish between real 404 errors or a deleted repo / branch etc!
Leave a comment:
-
thadkinsjr repliedwe arent getting a launcher any time soon. Epic replied that they have an interest in making a unified flatpack for all distro's.
Leave a comment:
-
leotada repliedEpic should provide at least the Launcher with compiled binaries of UE4, or Flatpak package for example will run in any Linux distribution. Sad the lack of support.
Leave a comment:
-
mike444 repliedHow cool is that:
http://phoronix.com/scan.php?page=ne...VR-Vulkan-GNUX
I'll try to run the ocean examples with Vulkan once I've finished some other stuff.
Anyone has set up VS Code for Unreal?Last edited by mike444; 04-29-2017, 09:29 AM.
Leave a comment:
-
Phruis repliedhey peeps, was gonna build the editor on Linux, but can't find the repo any more. Getting a 404 error.
Thanks
Leave a comment:
Leave a comment: