On Mon, Nov 28, 2016 at 04:15:08PM -0800, Junio C Hamano wrote: > * jk/nofollow-attr-ignore (2016-11-02) 5 commits > - exclude: do not respect symlinks for in-tree .gitignore > - attr: do not respect symlinks for in-tree .gitattributes > - exclude: convert "check_index" into a flags field > - attr: convert "macro_ok" into a flags field > - add open_nofollow() helper > > As we do not follow symbolic links when reading control files like > .gitignore and .gitattributes from the index, match the behaviour > and not follow symbolic links when reading them from the working > tree. This also tightens security a bit by not leaking contents of > an unrelated file in the error messages when it is pointed at by > one of these files that is a symbolic link. > > Perhaps we want to cover .gitmodules too with the same mechanism? Yes, sorry I haven't pushed that forward. I started on covering .gitmodules, too, but it's much more complicated than the other two, because we sometimes read them via "git config -f". So we have to somehow teach git-config to start using O_NOFOLLOW in those cases. I'm actually considering scrapping the approach you've queued above, and just teaching verify_path() to reject any index entry starting with ".git" that is a symlink. -Peff