Re: [PATCH v3 04/35] upload-pack: convert to a builtin
From: Jonathan Nieder <hidden>
Date: 2018-02-22 22:42:43
From: Jonathan Nieder <hidden>
Date: 2018-02-22 22:42:43
Jeff King wrote:
All of that said, I think the current code is quite dangerous already, and maybe even broken. upload-pack may run sub-commands like rev-list or pack-objects, which are themselves builtins.
Sounds like more commands to set the IGNORE_PAGER_CONFIG flag for in git.c. Thanks for looking this over thoughtfully. [...]
I couldn't quite get it to work, but I think it's because I'm doing something wrong with the submodules. But I also think this attack would _have_ to be done over ssh, because on a local system the submodule clone would a hard-link rather than a real fetch.
What happens if the submodule URL starts with file://? Thanks, Jonathan