Thread (329 messages) 329 messages, 12 authors, 2018-03-14

Re: [PATCH v3 04/35] upload-pack: convert to a builtin

From: Jonathan Nieder <hidden>
Date: 2018-03-12 23:37:55

Jeff King wrote:
We could even give it an environment variable, which would allow
something like:

  tar xf maybe-evil.git.tar
  cd maybe-evil
  export GIT_TRUST_REPO=false
  git log
Interesting idea.  Putting it in an envvar means it gets inherited by
child processes, which if I understand you correctly is a good thing.

[...]
  1. We have to manually annotate any "dangerous" code to act more
     safely when it sees the flag. Which means it's highly likely to
     a spot, or to add a new feature which doesn't respect it. And
     suddenly that's a security hole. So I'm concerned it may create a
     false sense of security and actually make things worse.
As an internal implementation detail, this is so obviously fragile
that it wouldn't give me any feeling of security. ;-)  So it should be
strictly an improvement.

As a public-facing feature, I suspect it's a bad idea for exactly that
reason.

FWIW for pager specifically I am going for a whitelisting approach:
new commands would have to explicitly set ALLOW_PAGER if they want to
respect pager config.  That doesn't guarantee people think about it
again as things evolve but it should at least help with getting the
right setting for new plumbing.

Thanks,
Jonathan
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help