Josh Steadmon <steadmon@xxxxxxxxxx> writes: > 2) upload-pack generally takes configuration via flags rather than > gitconfig. From offline discussions, it sounds like this is an > intentional choice to limit potential vulnerability from malicious > configs in local repositories accessed via the file:// URL scheme. Is > it reasonable to load the trace2.announceSID option from config files > in upload-pack, or should this be changed to a flag? I do not know about your offline discussion, but it certainly would make it easier to reason about the attack surface if we know it never gets affected by any configuration files. Having said that, upload-pack.c::upload_pack_config() already reads a lot from the configuration file, many of these variables are named "allowSomething", so... IOW, I do not see why the announceSID (should it be in trace2.* hierarchy, though?) needs to be treated in any more sensitive than say uploadpack.allowrefinwant or *.allowfilter variables.
