Stefan Beller wrote: > submodule.<name>.update can be assigned an arbitrary command via setting > it to "!command". When this command is found in the regular config, Git > ought to just run that command instead of other update mechanisms. > > However if that command is just found in the .gitmodules file, it is > potentially untrusted, which is why we do not run it. Add a test > confirming the behavior. > > Suggested-by: Jonathan Nieder <jrnieder@xxxxxxxxx> > Signed-off-by: Stefan Beller <sbeller@xxxxxxxxxx> > --- > t/t7406-submodule-update.sh | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh > index 034914a14f..d718cb00e7 100755 > --- a/t/t7406-submodule-update.sh > +++ b/t/t7406-submodule-update.sh > @@ -406,6 +406,20 @@ test_expect_success 'submodule update - command in .git/config' ' > ) > ' > > +test_expect_success 'submodule update - command in .gitmodules is ignored' ' > + test_when_finished "git -C super reset --hard HEAD^" && > + > + write_script must_not_run.sh <<-EOF && > + >$TEST_DIRECTORY/bad > + EOF > + > + git -C super config -f .gitmodules submodule.submodule.update "!$TEST_DIRECTORY/must_not_run.sh" && Long line, but I don't think I care. I wish there were a tool like "make style" to format shell scripts. > + git -C super commit -a -m "add command to .gitmodules file" && > + git -C super/submodule reset --hard $submodulesha1^ && > + git -C super submodule update submodule && > + test_path_is_missing bad > +' Per offline discussion, you tested that this fails when you use .git/config instead of .gitmodules, so there aren't any subtle typos here. :) Reviewed-by: Jonathan Nieder <jrnieder@xxxxxxxxx> Thanks for writing it.
