undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
68061e3470
git-commit-vandalism/Documentation
History
Jeff King 68061e3470 fast-import: disallow "feature export-marks" by default 
The fast-import stream command "feature export-marks=<path>" lets the
stream write marks to an arbitrary path. This may be surprising if you
are running fast-import against an untrusted input (which otherwise
cannot do anything except update Git objects and refs).

Let's disallow the use of this feature by default, and provide a
command-line option to re-enable it (you can always just use the
command-line --export-marks as well, but the in-stream version provides
an easy way for exporters to control the process).

This is a backwards-incompatible change, since the default is flipping
to the new, safer behavior. However, since the main users of the
in-stream versions would be import/export-based remote helpers, and
since we trust remote helpers already (which are already running
arbitrary code), we'll pass the new option by default when reading a
remote helper's stream. This should minimize the impact.

Note that the implementation isn't totally simple, as we have to work
around the fact that fast-import doesn't parse its command-line options
until after it has read any "feature" lines from the stream. This is how
it lets command-line options override in-stream. But in our case, it's
important to parse the new --allow-unsafe-features first.

There are three options for resolving this:

  1. Do a separate "early" pass over the options. This is easy for us to
     do because there are no command-line options that allow the
     "unstuck" form (so there's no chance of us mistaking an argument
     for an option), though it does introduce a risk of incorrect
     parsing later (e.g,. if we convert to parse-options).

  2. Move the option parsing phase back to the start of the program, but
     teach the stream-reading code never to override an existing value.
     This is tricky, because stream "feature" lines override each other
     (meaning we'd have to start tracking the source for every option).

  3. Accept that we might parse a "feature export-marks" line that is
     forbidden, as long we don't _act_ on it until after we've parsed
     the command line options.

     This would, in fact, work with the current code, but only because
     the previous patch fixed the export-marks parser to avoid touching
     the filesystem.

     So while it works, it does carry risk of somebody getting it wrong
     in the future in a rather subtle and unsafe way.

I've gone with option (1) here as simple, safe, and unlikely to cause
regressions.

This fixes CVE-2019-1348.

Signed-off-by: Jeff King <peff@peff.net>
2019-12-04 13:20:04 +01:00
..
howto doc: use https links to avoid http redirect 2017-04-20 22:05:37 -07:00
RelNotes Git 2.14.5 2018-09-27 11:19:11 -07:00
technical Merge branch 'ma/pager-per-subcommand-action' into maint 2017-09-10 17:02:48 +09:00
.gitattributes
.gitignore
asciidoc.conf
asciidoctor-extensions.rb Documentation: implement linkgit macro for Asciidoctor 2017-01-31 12:18:18 -08:00
blame-options.txt Merge branch 'bc/blame-doc-fix' 2017-02-24 10:48:08 -08:00
build-docdep.perl
cat-texi.perl Documentation: remove unneeded argument in cat-texi.perl 2017-01-23 10:56:47 -08:00
cmd-list.perl command-list: prepare machinery for upcoming "common groups" section 2015-05-21 13:03:37 -07:00
CodingGuidelines Merge branch 'ab/c-translators-comment-style' into maint 2017-06-05 09:03:10 +09:00
config.txt Revert "color: make "always" the same as "auto" in config" 2017-10-17 15:08:51 +09:00
date-formats.txt Merge branch 'lr/doc-fix-cet' into maint 2017-01-17 15:19:08 -08:00
diff-config.txt doc: add missing values "none" and "default" for diff.wsErrorHighlight 2017-07-25 14:30:49 -07:00
diff-format.txt Documentation: improve description for core.quotePath 2017-03-02 11:40:51 -08:00
diff-generate-patch.txt Documentation: improve description for core.quotePath 2017-03-02 11:40:51 -08:00
diff-heuristic-options.txt diff: retire "compaction" heuristics 2016-12-23 12:32:22 -08:00
diff-options.txt Merge branch 'ah/doc-wserrorhighlight' into maint 2017-08-23 14:33:51 -07:00
docbook-xsl.css
docbook.xsl
everyday.txto Documentation: fix linkgit references 2016-05-09 15:44:14 -07:00
fetch-options.txt Merge branch 'nd/shallow-deepen' 2016-10-10 14:03:50 -07:00
fix-texi.perl Add support for an info version of the user manual 2007-08-10 23:16:18 -07:00
fmt-merge-msg-config.txt Documentation: include 'merge.branchdesc' for merge and config as well 2015-05-28 12:38:46 -07:00
git-add.txt Merge branch 'mr/doc-negative-pathspec' into maint 2017-10-18 14:19:12 +09:00
git-am.txt Merge branch 'mm/doc-tt' 2016-07-13 11:24:14 -07:00
git-annotate.txt blame: honor the diff heuristic options and config 2016-09-19 10:25:11 -07:00
git-apply.txt Documentation: improve description for core.quotePath 2017-03-02 11:40:51 -08:00
git-archimport.txt docs/archimport: quote sourcecontrol.net reference 2017-04-20 22:05:38 -07:00
git-archive.txt
git-bisect-lk2009.txt doc: replace more gmane links 2017-05-09 21:13:13 -07:00
git-bisect.txt git-bisect.txt: add missing word 2017-04-01 11:35:45 -07:00
git-blame.txt Merge branch 'jc/blame-reverse' 2016-10-10 14:03:51 -07:00
git-branch.txt doc: camelCase the config variables to improve readability 2017-09-25 16:11:56 +09:00
git-bundle.txt transport: drop support for git-over-rsync 2016-02-01 13:07:41 -08:00
git-cat-file.txt doc: fix minor typos (extra/duplicated words) 2017-09-14 15:09:02 +09:00
git-check-attr.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-check-ignore.txt Documentation: fix linkgit references 2016-05-09 15:44:14 -07:00
git-check-mailmap.txt
git-check-ref-format.txt git-check-ref-format: clarify documentation for --normalize 2017-02-21 13:02:42 -08:00
git-checkout-index.txt
git-checkout.txt Merge branch 'jc/doc-checkout' into maint 2017-10-18 14:19:14 +09:00
git-cherry-pick.txt Merge branch 'mm/doc-tt' into maint 2016-07-28 11:25:54 -07:00
git-cherry.txt
git-citool.txt
git-clean.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-clone.txt clone: add a --no-tags option to clone without tags 2017-05-01 11:09:44 +09:00
git-column.txt
git-commit-tree.txt Merge branch 'mm/doc-tt' 2016-07-13 11:24:14 -07:00
git-commit.txt doc: reformat the paragraph containing the 'cut-line' 2017-07-18 15:04:49 -07:00
git-config.txt Merge branch 'dg/document-git-c-in-git-config-doc' into maint 2016-09-08 21:35:56 -07:00
git-count-objects.txt count-objects: report alternates via verbose mode 2016-10-10 13:52:37 -07:00
git-credential-cache--daemon.txt
git-credential-cache.txt credential-cache: use XDG_CACHE_HOME for socket 2017-03-17 11:19:40 -07:00
git-credential-store.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-credential.txt
git-cvsexportcommit.txt
git-cvsimport.txt Merge branch 'jk/doc-cvs-update' into maint 2016-10-03 13:22:25 -07:00
git-cvsserver.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-daemon.txt doc: typeset HEAD and variants as literal 2016-06-28 08:36:45 -07:00
git-describe.txt builtin/describe: introduce --broken flag 2017-03-22 10:13:41 -07:00
git-diff-files.txt
git-diff-index.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-diff-tree.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-diff.txt diff-files: document --ours etc. 2017-04-13 16:15:25 -07:00
git-difftool.txt Document the --no-gui option in difftool 2017-02-08 13:30:28 -08:00
git-fast-export.txt doc: convert \--option to --option 2015-05-12 22:14:46 -07:00
git-fast-import.txt fast-import: disallow "feature export-marks" by default 2019-12-04 13:20:04 +01:00
git-fetch-pack.txt upload-pack: optionally allow fetching any sha1 2016-11-18 13:06:14 -08:00
git-fetch.txt Merge branch 'mm/push-social-engineering-attack-doc' 2017-01-10 15:24:24 -08:00
git-filter-branch.txt filter-branch: add --setup step 2017-06-12 09:44:54 -07:00
git-fmt-merge-msg.txt Documentation/fmt-merge-msg: fix markup in example 2016-10-28 05:51:51 -07:00
git-for-each-ref.txt Merge branch 'jk/ref-filter-colors-fix' into maint 2017-10-18 14:20:43 +09:00
git-format-patch.txt Merge branch 'xy/format-patch-base' 2017-04-23 22:07:55 -07:00
git-fsck-objects.txt
git-fsck.txt fsck: optionally show more helpful info for broken links 2016-07-18 15:15:59 -07:00
git-gc.txt docs/git-gc: fix default value for --aggressiveDepth 2017-02-24 09:59:12 -08:00
git-get-tar-commit-id.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-grep.txt Merge branch 'mr/doc-negative-pathspec' into maint 2017-10-18 14:19:12 +09:00
git-gui.txt doc: git-gui browser does not default to HEAD 2017-01-13 12:23:28 -08:00
git-hash-object.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-help.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-http-backend.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-http-fetch.txt
git-http-push.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-imap-send.txt imap-send: use cURL automatically when NO_OPENSSL defined 2015-03-10 15:19:05 -07:00
git-index-pack.txt index-pack: add --max-input-size=<size> option 2016-08-24 12:31:05 -07:00
git-init-db.txt
git-init.txt init: document dotfiles exclusion on template copy 2017-02-17 15:57:21 -08:00
git-instaweb.txt doc: change configuration variables format 2016-06-08 12:04:55 -07:00
git-interpret-trailers.txt Documentation: fix reference to ifExists for interpret-trailers 2017-05-23 14:18:26 +09:00
git-log.txt Merge branch 'mj/log-show-signature-conf' 2016-07-11 10:31:08 -07:00
git-ls-files.txt Merge branch 'mm/ls-files-s-doc' 2017-04-16 23:29:30 -07:00
git-ls-remote.txt ls-remote: add support for showing symrefs 2016-01-19 10:07:56 -08:00
git-ls-tree.txt Documentation: improve description for core.quotePath 2017-03-02 11:40:51 -08:00
git-mailinfo.txt Merge branch 'va/mailinfo-doc-typofix' into maint 2016-05-26 13:17:14 -07:00
git-mailsplit.txt mailsplit: support unescaping mboxrd messages 2016-06-06 11:14:43 -07:00
git-merge-base.txt doc: fix merge-base ASCII art tab spacing 2016-10-21 09:46:48 -07:00
git-merge-file.txt merge-file: clamp exit code to maximum 127 2015-10-29 12:10:23 -07:00
git-merge-index.txt
git-merge-one-file.txt
git-merge-tree.txt
git-merge.txt Documentation/git-merge: explain --continue 2017-08-21 17:12:44 -07:00
git-mergetool--lib.txt
git-mergetool.txt mergetool: honor -O<orderfile> 2016-10-11 10:04:31 -07:00
git-mktag.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-mktree.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-mv.txt doc: typeset short command-line options as literal 2016-06-28 08:20:52 -07:00
git-name-rev.txt name-rev: add support to exclude refs by pattern match 2017-01-23 18:33:17 -08:00
git-notes.txt doc: fix minor typos (extra/duplicated words) 2017-09-14 15:09:02 +09:00
git-p4.txt Merge branch 'ls/p4-retry-thrice' 2017-01-18 15:12:12 -08:00
git-pack-objects.txt Doc: clarify that pack-objects makes packs, plural 2017-08-23 10:39:41 -07:00
git-pack-redundant.txt
git-pack-refs.txt
git-parse-remote.txt
git-patch-id.txt doc: remove unsupported parameter from patch-id 2017-07-28 14:41:32 -07:00
git-prune-packed.txt
git-prune.txt worktree: new place for "git prune --worktrees" 2015-06-29 08:48:44 -07:00
git-pull.txt Merge branch 'sb/pull-rebase-submodule' 2017-07-13 16:14:54 -07:00
git-push.txt push: document & test --force-with-lease with multiple remotes 2017-04-19 18:53:06 -07:00
git-quiltimport.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-read-tree.txt Merge branch 'jk/doc-read-tree-table-asciidoctor-fix' into maint 2017-10-18 14:19:11 +09:00
git-rebase.txt Merge branch 'ks/fix-rebase-doc-picture' into maint 2017-07-21 15:03:39 -07:00
git-receive-pack.txt refs: reject ref updates while GIT_QUARANTINE_PATH is set 2017-04-16 18:19:18 -07:00
git-reflog.txt git-reflog: add exists command 2015-07-21 14:08:14 -07:00
git-remote-ext.txt doc: add some crossrefs between manual pages 2014-11-11 14:47:04 -08:00
git-remote-fd.txt Spelling fixes 2016-08-11 14:35:42 -07:00
git-remote-helpers.txto
git-remote-testgit.txt
git-remote.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-repack.txt repack: accept --threads=<n> and pass it down to pack-objects 2017-04-27 08:09:25 +09:00
git-replace.txt doc: change environment variables format 2016-06-08 12:04:37 -07:00
git-request-pull.txt doc: show usage of branch description 2015-09-14 12:50:33 -07:00
git-rerere.txt *config.txt: stick to camelCase naming convention 2015-03-13 22:13:46 -07:00
git-reset.txt Spelling fixes 2017-06-27 10:35:49 -07:00
git-rev-list.txt Merge branch 'jk/date-local' 2015-10-05 12:30:13 -07:00
git-rev-parse.txt doc: rewrite description for rev-parse --short 2017-06-01 10:37:42 +09:00
git-revert.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-rm.txt Merge branch 'sb/submodule-doc' 2017-07-12 15:18:21 -07:00
git-send-email.txt Merge branch 'xz/send-email-batch-size' 2017-07-06 18:14:46 -07:00
git-send-pack.txt remote-curl: allow push options 2017-03-22 15:41:21 -07:00
git-sh-i18n--envsubst.txt
git-sh-i18n.txt
git-sh-setup.txt doc: more consistency in environment variables format 2016-06-08 12:04:37 -07:00
git-shell.txt shell: drop git-cvsserver support by default 2017-09-12 11:05:58 +09:00
git-shortlog.txt shortlog: test and document --committer option 2016-12-16 09:39:10 -08:00
git-show-branch.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-show-index.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-show-ref.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-show.txt doc: convert \--option to --option 2015-05-12 22:14:46 -07:00
git-stage.txt
git-stash.txt stash: update documentation to use 'stash entry' 2017-06-18 22:16:36 -07:00
git-status.txt Merge branch 'mr/doc-negative-pathspec' into maint 2017-10-18 14:19:12 +09:00
git-stripspace.txt usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
git-submodule.txt Merge branch 'sb/submodule-doc' 2017-07-12 15:18:21 -07:00
git-svn.txt git-svn: document special options for commit-diff 2017-06-15 01:09:31 +00:00
git-symbolic-ref.txt
git-tag.txt Merge branch 'jk/ref-filter-colors-fix' into maint 2017-10-18 14:20:43 +09:00
git-tools.txt doc: replace or.cz gitwiki link with git.wiki.kernel.org 2017-04-20 22:05:37 -07:00
git-unpack-file.txt
git-unpack-objects.txt unpack-objects: add --max-input-size=<size> option 2016-08-24 12:31:05 -07:00
git-update-index.txt doc: fix minor typos (extra/duplicated words) 2017-09-14 15:09:02 +09:00
git-update-ref.txt update-ref and tag: add --create-reflog arg 2015-07-21 14:08:35 -07:00
git-update-server-info.txt
git-upload-archive.txt Documentation: match underline with the text 2015-10-22 10:16:12 -07:00
git-upload-pack.txt upload-pack.c: use parse-options API 2016-05-31 10:17:20 -07:00
git-var.txt
git-verify-commit.txt Merge branch 'dn/gpg-doc' into maint 2016-07-06 13:06:36 -07:00
git-verify-pack.txt git-verify-pack.txt: fix inconsistent spelling of "packfile" 2015-05-17 11:24:57 -07:00
git-verify-tag.txt builtin/verify-tag: add --format to verify-tag 2017-01-17 16:10:22 -08:00
git-web--browse.txt doc: typeset long command-line options as literal 2016-06-28 08:36:45 -07:00
git-whatchanged.txt
git-worktree.txt worktree add: add --lock option 2017-04-20 17:59:02 -07:00
git-write-tree.txt
git.txt doc: correct command formatting 2017-09-29 10:54:38 +09:00
gitattributes.txt Documentation: mention that eol can change the dirty status of paths 2017-09-07 08:57:54 +09:00
gitcli.txt stash: update documentation to use 'stash entry' 2017-06-18 22:16:36 -07:00
gitcore-tutorial.txt gitcore-tutorial: update broken link 2017-04-20 22:05:38 -07:00
gitcredentials.txt credential doc: make multiple-helper behavior more prominent 2017-05-02 10:58:06 +09:00
gitcvs-migration.txt Merge branch 'sb/doc-unify-bottom' 2017-02-15 12:54:20 -08:00
gitdiffcore.txt docs/diffcore: unquote "Complete Rewrites" in headers 2017-02-28 11:34:38 -08:00
giteveryday.txt giteveryday: unbreak rendering with AsciiDoctor 2017-01-07 14:03:40 -08:00
gitglossary.txt Documentation: unify bottom "part of git suite" lines 2017-02-09 15:14:01 -08:00
githooks.txt send-email: support validate hook 2017-05-16 11:13:00 +09:00
gitignore.txt doc: change configuration variables format 2016-06-08 12:04:55 -07:00
gitk.txt Merge branch 'sb/remove-gitview' 2017-01-18 15:12:18 -08:00
gitmodules.txt Merge branch 'ss/submodule-shallow-doc' 2017-04-26 15:39:07 +09:00
gitnamespaces.txt doc: mention transfer data leaks in more places 2016-11-14 11:23:07 -08:00
gitremote-helpers.txt fix minor typos 2017-05-01 11:01:52 +09:00
gitrepository-layout.txt Merge branch 'sb/doc-unify-bottom' 2017-02-15 12:54:20 -08:00
gitrevisions.txt doc: gitrevisions - clarify 'latter case' is revision walk 2016-08-13 19:36:44 -07:00
gitsubmodules.txt submodules: overhaul documentation 2017-06-22 15:25:25 -07:00
gittutorial-2.txt Documentation: unify bottom "part of git suite" lines 2017-02-09 15:14:01 -08:00
gittutorial.txt Documentation: unify bottom "part of git suite" lines 2017-02-09 15:14:01 -08:00
gitweb.conf.txt doc: use https links to avoid http redirect 2017-04-20 22:05:37 -07:00
gitweb.txt doc: use https links to Wikipedia to avoid http redirects 2017-05-15 13:04:54 +09:00
gitworkflows.txt Documentation: unify bottom "part of git suite" lines 2017-02-09 15:14:01 -08:00
glossary-content.txt Merge branch 'mr/doc-negative-pathspec' into maint 2017-10-18 14:19:12 +09:00
howto-index.sh
i18n.txt doc: camelCase the i18n config variables to improve readability 2017-07-17 15:11:26 -07:00
install-doc-quick.sh
install-webdoc.sh
line-range-format.txt Documentation: change -L:<regex> to -L:<funcname> 2015-04-20 11:05:50 -07:00
lint-gitlink.perl ci: validate "linkgit:" in documentation 2016-05-10 11:15:04 -07:00
mailmap.txt
Makefile submodules: overhaul documentation 2017-06-22 15:25:25 -07:00
manpage-1.72.xsl
manpage-base-url.xsl.in
manpage-base.xsl
manpage-bold-literal.xsl
manpage-normal.xsl
manpage-quote-apos.xsl
manpage-suppress-sp.xsl
merge-config.txt doc: change environment variables format 2016-06-08 12:04:37 -07:00
merge-options.txt Merge branch 'kf/gpg-sig-verification-doc' 2016-05-17 14:38:39 -07:00
merge-strategies.txt merge-strategies: avoid implying that "-s theirs" exists 2017-09-25 14:34:23 +09:00
pretty-formats.txt pretty: respect color settings for %C placeholders 2017-07-13 12:42:51 -07:00
pretty-options.txt Merge branch 'tr/doc-tt' into maint 2016-07-06 13:06:34 -07:00
pull-fetch-param.txt fetch doc: src side of refspec could be full SHA-1 2017-10-18 05:59:34 +09:00
rev-list-options.txt Merge branch 'rs/strbuf-addftime-zZ' 2017-06-22 14:15:25 -07:00
revisions.txt Merge branch 'vn/revision-shorthand-for-side-branch-log' 2017-04-19 21:37:25 -07:00
sequencer.txt
SubmittingPatches Merge branch 'rg/doc-submittingpatches-wordfix' 2017-05-04 16:26:46 +09:00
texi.xsl Documentation: add XSLT to fix DocBook for Texinfo 2017-01-23 10:56:53 -08:00
transfer-data-leaks.txt doc: mention transfer data leaks in more places 2016-11-14 11:23:07 -08:00
urls-remotes.txt Documentation: match underline with the text 2015-10-22 10:16:12 -07:00
urls.txt transport: drop support for git-over-rsync 2016-02-01 13:07:41 -08:00
user-manual.conf
user-manual.txt asciidoctor: fix user-manual to be built by asciidoctor 2017-01-13 10:30:16 -08:00