On Sat, May 25, 2019 at 04:28:34PM +0200, Christian Couder wrote: > If someone wants to use as a filter a sparse file that is in the > repository, something like "--filter=sparse:oid=<ref>:<path>" > already works. > > So 'sparse:path' is only interesting if the sparse file is not in > the repository. In this case though the current implementation has > a big security issue, as it makes it possible to ask the server to > read any file, like for example /etc/password, and to explore the > filesystem, as well as individual lines of files. > > If someone is interested in using a sparse file that is not in the > repository as a filter, then at the minimum a config option, such > as "uploadpack.sparsePathFilter", should be implemented first to > restrict the directory from which the files specified by > 'sparse:path' can be read. > > For now though, let's just disable 'sparse:path' filters. Thanks for picking this up. The patch looks fine to me (versus just disabling it for remote invocations) assuming we are OK with the possible regression. I suppose cooking this in 'next' for a while is one way we might find out if anybody yells loudly. -Peff
