Hi, In August, 2018, Brandon Williams wrote: > Commit 0383bbb901 (submodule-config: verify submodule names as paths, > 2018-04-30) introduced some checks to ensure that submodule names don't > include directory traversal components (e.g. "../"). > > This addresses the vulnerability identified in 0383bbb901 but the root > cause is that we use submodule names to construct paths to the > submodule's git directory. What we really should do is munge the > submodule name before using it to construct a path. Thanks again for this. I liked the proposal enough to run Git with patches implementing it for a while. That said, there were some unaddressed comments in the review. I've put a summary in https://crbug.com/git/28 to make this easier to pick up where we left off. Summary from there of the upstream review: 1. Using urlencoding to escape the slashes is fine, but what if we want to escape some other character (for example to handle case-insensitive filesystems)? Proposal: Store the escaping mapping in config[1] so it can be modified it in the future: [submodule "plugin/hooks"] gitdirname = plugins%2fhooks 2. The urlencoded name could conflict with a submodule that has % in its name in an existing clone created by an older version of Git. Proposal: Put submodules in a new .git/submodules/ directory instead of .git/modules/. 3. These gitdirname settings can clutter up .git/config. Proposal: For the "easy" cases (e.g. submodule name consisting of [a-z]*), allow omitting the gitdirname setting. Is that a fair summary? Are there concerns from the review that I forgot, or would a new version of the series that addresses those three problems put us in good shape? Thanks, Jonathan [1] https://public-inbox.org/git/20180816181940.46114-1-bmwill@xxxxxxxxxx/