On Wed, Aug 07, 2019 at 04:17:49AM +0000, brian m. carlson wrote: > > I think if we at least choose the left-most "--" as the official > > end-of-options then they can't inject an option (they can only inject a > > rev as a path). I guess that's the same as with --end-of-options. But it > > somehow feels less clear to me than a separate marker. > > I suppose if there's more than two, then interpret the first one as the > end-of-options marker, the second one in the traditional way, and any > subsequent ones as pathspecs matching the file "--". Writing such a > command line would be silly, but we'd fail secure. Yeah, I think that could work. I'd be a little concerned that the implementation would end up complicated and confusing, just because there are other parts of the code that treat "--" specially. That's not a necessarily a reason to avoid it if there's a compelling reason, but I think I favor a unique marker anyway (or at least am otherwise ambivalent). > That's a good point. I don't have a strong view either way, but I > thought I'd ask about alternatives. Discussion of alternatives is very welcome. I think the most compelling alternative is the one I pointed out in one of the commit messages: git rev-list --revision=<whatever> which lets normal left-to-right parsing work without any complex reasoning. It is harder to use with "$@", though. Related, my proposal doesn't do anything for rev-parse. I think that: git rev-parse --end-of-options -xyz should probably return: --end-of-options <oid of -xyz> but I mostly consider that kind of use of rev-parse (pretending to be an options parser for rev-list) to be vestigial. The main use of rev-parse (in my experience) is "rev-parse --verify" to resolve a single name. There are still some gaps there. For instance: git rev-parse --verify --foo will treat "--foo" as an option (and then complain that there was no rev argument). I don't think you can do anything too mischievous from this, but it might be nice to tighten it up. I'm tempted to say that "--verify" should complain if there isn't exactly one argument, but technically things like this do work: git rev-parse --verify --sq "$rev" git rev-parse --verify --symbolic-full-name "$rev" I don't know if anybody cares or not. We could perhaps work around it by having --verify treat the final argument as a non-option, even if it starts with "-". That would allow those cases, but: git rev-parse --verify --symbolic-full-name would treat the latter as an argument (and currently that's always an error anyway). Looking at rev-parse, there are other weird bits to --verify, too. E.g., this: git rev-parse --verify a...b c shows a...b, ignoring that --verify was given, and then eventually "c". -Peff
