By: Luo Qiqi
Produced by: OSC Open Source Community (ID: oschina2013)
On January 25, Linus Torvalds submitted a prank README page to the Linux GitHub repository: https://github.com/torvalds/linux/tree/8bcab0346d4fcf21b97046eb44db8cf37ddd6da0, titled “delete linux because it sucks” — I deleted Linux because it sucks.
Hello everyone, I am Linus Torvalds, the famous author of Linux. You can check the repo URL and the name at the top of the file, which can prove that it was me who submitted it. I deleted Linux because I hate it, and I think it sucks. You should use this great operating system called Windows XP, which I just found out is really great.
Why is this considered a prank? Because the source code of Linux has not been deleted, and observant netizens discovered that there is a link at the bottom of the README:
This link points to a post on Hacker News, which details the existing “fake commit” vulnerability on GitHub: arbitrary commits can be published under the URL https://github.com/my/project. For example, using the URL https://github.com/my/project/blob/<faked_commit>/README.md, a fake README page can be published, which will not appear in the project’s commit history and does not belong to any branch, and can only be seen by accessing a specific URL. Linus’s prank README file exploited this fake commit vulnerability; take a look at the URL of this README:
If it were a normal commit, the URL should contain the word commit, for example:
In addition to the incorrect URL, this README file also did not appear in the commit history:
It can be seen that Linus was just joking and did not actually delete the repository.Those interested in this vulnerability can check out the original post on Hacker News, which combines this fake commit vulnerability with another “impersonating a user through git email address” vulnerability: https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address, which can create phishing pages that look real. For example, https://github.com/slimsag/linux/tree/5895e21f3c744ed9829e3afe9691e3eb1b1932ae#linux-kernel this repository seems to indicate that Linus himself participated in its development:
However, this was just achieved by replacing the email address, changing slimsag to torvalds.
On the left is the torvalds replaced through the vulnerability, and on the right is the normal one. A careful comparison reveals that the torvalds created through the sleight of hand does not display activity records.These GitHub vulnerabilities were disclosed in 2020, yet the vulnerability authors claim that “GitHub does not consider these issues as vulnerabilities at all”. It is unclear whether GitHub is unable to address them or believes they are unnecessary to fix; in any case, they can still be exploited to this day.
Previous Highlights
cURL Author Complains: A Fortune 500 Company “Free Riding” on Technical Support
What is the Gap in Open Source Between China and the US?
Microsoft Releases VS Code Java Roadmap for 2022
If you find this interesting, please give it a thumbs up.