On Thu, Nov 03, 2016 at 11:19:54AM -0700, Brandon Williams wrote:
> On 11/03, Jeff King wrote:
> > +
> > + /* unknown; let them be used only directly by the user */
> > + return PROTOCOL_ALLOW_USER_ONLY;
> > +}
> > +
> > int is_transport_allowed(const char *type)
> > {
> > - const struct string_list *allowed = protocol_whitelist();
> > - return !allowed || string_list_has_string(allowed, type);
> > + const struct string_list *whitelist = protocol_whitelist();
> > + if (whitelist)
> > + return string_list_has_string(whitelist, type);
> > +
> > + switch (get_protocol_config(type)) {
> > + case PROTOCOL_ALLOW_ALWAYS:
> > + return 1;
> > + case PROTOCOL_ALLOW_NEVER:
> > + return 0;
> > + case PROTOCOL_ALLOW_USER_ONLY:
> > + return git_env_bool("GIT_PROTOCOL_FROM_USER", 1);
> > + }
>
> I know this is just a rough patch you wiped up but one question:
> With the 'user' state, how exactly do you envision this env variable
> working? Do we want the user to have to explicitly set
> GIT_PROTOCOL_FROM_USER in their environment and then have these other
> commands (like git-submodule) explicitly clear the env var or would we
> rather these subcommands set a variable indicating they aren't coming
> from the user and the deafult state (no var set) is a user run command?
See the follow-up I just posted, but basically, the rules are:
- if you don't say anything, then the URL is from the user
- git-submodule would set it to "0" (i.e., tell us to be more careful)
- tools like "go get" would similarly set it to "0" if they are
passing untrusted URLs
-Peff