On Mon, Nov 07, 2016 at 11:35:23AM -0800, Brandon Williams wrote: > Previously the `GIT_ALLOW_PROTOCOL` environment variable was used to > specify a whitelist of protocols to be used in clone/fetch/push > commands. This patch introduces new configuration options for more > fine-grained control for allowing/disallowing protocols. This also has > the added benefit of allowing easier construction of a protocol > whitelist on systems where setting an environment variable is > non-trivial. > > Now users can specify a policy to be used for each type of protocol via > the 'protocol.<name>.allow' config option. A default policy for all > unconfigured protocols can be set with the 'protocol.allow' config > option. If no user configured default is made git, by default, will > allow known-safe protocols (http, https, git, ssh, file), disallow A minor nit, but in "If no user configured default is made git, by default, will..." the second "by default" is redundant. And possibly misleading. This _is_ the default case, there is no other way to change it. :) > +protocol.<name>.allow:: > + Set a policy to be used by protocol <name> with clone/fetch/push commands. `<name>` isn't defined here at all. I still think the list of protocols should go here, but at the very least, you need to point the user to the existing list in git(1). > `GIT_ALLOW_PROTOCOL`:: > - If set, provide a colon-separated list of protocols which are > - allowed to be used with fetch/push/clone. This is useful to > - restrict recursive submodule initialization from an untrusted > - repository. Any protocol not mentioned will be disallowed (i.e., > - this is a whitelist, not a blacklist). If the variable is not > - set at all, all protocols are enabled. The protocol names > - currently used by git are: > + The preferred way to configure allowed protocols is done through the > + config interface, though this setting takes precedences. See s/precedences/precedence/. I actually wonder if we should even drop "the preferred way" here. I had initially thought we would want it just for backwards-compatibility, but I actually think it is useful in its own right as a shorthand for more complicated config (and since we have to keep it around effectively forever anyway, there's no real cost to continuing to call it a feature versus a deprecated feature). I'm including a squashable patch at the end of this email with suggested wording (and which also moves the protocol list). > + test_expect_success "clone $desc (env var has precedence)" ' > + rm -rf tmp.git && > + ( > + GIT_ALLOW_PROTOCOL=none && > + export GIT_ALLOW_PROTOCOL && > + test_must_fail git -c protocol.$proto.allow=always clone --bare "$url" tmp.git > + ) > + ' This test is a good addition in this round. I suppose we could test also that GIT_ALLOW_PROTOCOL overrides protocol.allow, but I'm not sure if there is a point. If git were a black box, it's a thing I might check, but we know from the design that this is an unlikely bug (and that the implementation is unlikely to change in a way to cause it). So I could go either way. > [...] The rest of it looks good to me. Squashable documentation suggestions are below. -Peff --- diff --git a/Documentation/config.txt b/Documentation/config.txt index e89b33f9e..a9dc23f82 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -2331,7 +2331,28 @@ protocol.allow:: -- protocol.<name>.allow:: - Set a policy to be used by protocol <name> with clone/fetch/push commands. + Set a policy to be used by protocol `<name>` with clone/fetch/push + commands. See `protocol.allow` above for the available policies. ++ +The protocol names currently used by git are: ++ +-- + - `file`: any local file-based path (including `file://` URLs, + or local paths) + + - `git`: the anonymous git protocol over a direct TCP + connection (or proxy, if configured) + + - `ssh`: git over ssh (including `host:path` syntax, + `ssh://`, etc). + + - `http`: git over http, both "smart http" and "dumb http". + Note that this does _not_ include `https`; if you want to configure + both, you must do so individually. + + - any external helpers are named by their protocol (e.g., use + `hg` to allow the `git-remote-hg` helper) +-- pull.ff:: By default, Git does not create an extra merge commit when merging diff --git a/Documentation/git.txt b/Documentation/git.txt index c9823e34a..c52cec840 100644 --- a/Documentation/git.txt +++ b/Documentation/git.txt @@ -1150,30 +1150,13 @@ of clones and fetches. cloning a repository to make a backup). `GIT_ALLOW_PROTOCOL`:: - The preferred way to configure allowed protocols is done through the - config interface, though this setting takes precedences. See - linkgit:git-config[1] for more details. If set to a colon-separated - list of protocols, behave as if `protocol.allow` is set to `never`, and - each of the listed protocols has `protocol.<name>.allow` set to - `always`. In other words, any protocol not mentioned will be - disallowed (i.e., this is a whitelist, not a blacklist). The protocol - names currently used by git are: - - - `file`: any local file-based path (including `file://` URLs, - or local paths) - - - `git`: the anonymous git protocol over a direct TCP - connection (or proxy, if configured) - - - `ssh`: git over ssh (including `host:path` syntax, - `ssh://`, etc). - - - `http`: git over http, both "smart http" and "dumb http". - Note that this does _not_ include `https`; if you want both, - you should specify both as `http:https`. - - - any external helpers are named by their protocol (e.g., use - `hg` to allow the `git-remote-hg` helper) + If set to a colon-separated list of protocols, behave as if + `protocol.allow` is set to `never`, and each of the listed + protocols has `protocol.<name>.allow` set to `always` + (overriding any existing configuration). In other words, any + protocol not mentioned will be disallowed (i.e., this is a + whitelist, not a blacklist). See the description of + `protocol.allow` in linkgit:git-config[1] for more details. `GIT_PROTOCOL_FROM_USER`:: Set to 0 to prevent protocols used by fetch/push/clone which are