Hi Junio, On Thu, 26 Dec 2019, Junio C Hamano wrote: > "Johannes Schindelin via GitGitGadget" <gitgitgadget@xxxxxxxxx> > writes: > > > I would appreciate reviews with a particular eye on keeping users safe: I am > > not 100% certain that all relevant file writes go through the index (I think > > that they all go through the index, but I might have well missed a corner > > case). > > There are peripheral commands that do not use the index at all, such > as "archive"; piping "git archive" output to unarchiver that writes > into the filesystem would be a way. But I do not think that > qualifies as an attack vector you are looking for. Yes, I thought about `git archive`, too. The thing is, I could imagine legitimate use cases where a user wants to generate e.g. a `.zip` on Windows, with the intention to unpack it on Linux. In such a case, we would not want to prevent said `.zip` from being generated. I also briefly considered the scripts that write some trees into a temporary location, but those scripts typically use `git read-tree -u -m` with a temporary index, i.e. they _do_ go through the index, still. Thank you for your thoughts about this issue, Dscho
