On Thu, Apr 28, 2016 at 12:28:21PM -0700, Junio C Hamano wrote:
> Jeff King <peff@xxxxxxxx> writes:
>
> > It's definitely sufficient, it's just annoying if a user shows up every
> > week and says "I want X.Y", and then somebody else shows up a week later
> > and says "I want X.Z".
> >
> > Are we serving any purpose in vetting each one (and if so, what)?
>
> Personally I do not think we would need to filter _anything_ if we
> can tell that the user directly said
>
> git -c var1=val1 -c var2=val2 $cmd ...
>
> and "git $cmd" ended up needing to spawn another "git" subcommand,
> possibly in some other repository (i.e. "$cmd" in this case is
> likely to be "submodule", but in principle it does not have to be).
> If the user somehow gives variables like core.worktree that are
> inappropriate to be applied across repositories, that's user's
> problem, i.e. "don't do it then if it hurts".
Right, we are talking about that direct case here. And any time our
filter heuristic lets something through, it is probably "if it hurts
don't do it" as the worst case.
So I think the only two cases worth filtering are:
1. Ones where we _know_ that the config is nonsense to pass along,
_and_ where a user might conceivably make use of the
just-the-top-level version of it (core.worktree
comes to mind, though of course they are probably better served by
"--work-tree" in such a case).
2. An option where we think there may be some security implication.
Setting "http.sslverify" to false does have some security
implications ("oops, I only meant to turn off verification for the
root repo, and I got MiTM-attacked for the submodules!"). But it's
so obscure and unlikely that I think the benefit outweighs it.
And I can't think of any other cases whose security implications
aren't similarly unlikely. But I haven't carefully gone down the
list (and as I said, I'd be hesitant to support a blacklist until
_somebody_ takes the time to do so).
> If we are doing any filtering, however, it is always hard, if not
> impossible, to take away what we originally granted, even by
> mistake, for any reason, even for correctness or for security, in a
> later release.
Yep, agreed.
I am OK staying with a whitelist. But I think we should be fairly
lenient in whitelisting hierarchies that people have a use for, and
which do not violate (1) or (2) above.
> We probably could sidestep it by introducing an end-user
> configurable "whitelist" somewhere.
Ugh. Please no. I do not want to have to think about explaining to
somebody that they can accomplish what they want with submodules, but
only by pre-configuring their ~/.gitconfig to allow certain keys so that
they can pass the appropriate config on the command line.
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html