On Wed, Mar 28, 2018 at 01:33:03PM -0700, Jonathan Nieder wrote: > When upload-pack gained partial clone support (v2.17.0-rc0~132^2~12, > 2017-12-08), it was guarded by the uploadpack.allowFilter config item > to allow server operators to control when they start supporting it. > > That config item didn't go far enough, though: it controls whether the > 'filter' capability is advertised, but if a (custom) client ignores > the capability advertisement and passes a filter specification anyway, > the server would handle that despite allowFilter being false. > > This is particularly significant if a security bug is discovered in > this new experimental partial clone code. Installations without > uploadpack.allowFilter ought not to be affected since they don't > intend to support partial clone, but they would be swept up into being > vulnerable. > > Simplify and limit the attack surface by making uploadpack.allowFilter > disable the feature, not just the advertisement of it. Great catch. If I understand correctly, this is an issue in the 2.17.0 release candidates. Is this worth delaying the release? It's a funny situation. The presence of a security bug is theoretical here, so nobody _should_ need to care, and this is just hardening. But it does make me a little nervous, given the experimental-ness of the new feature. -Peff
