On 2020.11.04 13:14, Junio C Hamano wrote: > Josh Steadmon <steadmon@xxxxxxxxxx> writes: > > > When a client receives a trace2-sid capability from a protocol v0, v1, > > or v2 server, log the received session ID via a trace2 data event. > > Would this pose a new security threat surface? Just wondering if we > want to ignore the capability if it is not enabled on our end with > the configuration. > > Thanks. As Jeff pointed out, the json-writer handles string escapes, so I don't think we could cause any trouble with the trace2 "event" target. The "normal" target ignores data events, so this would not show up in a normal trace2 log. The "perf" target doesn't seem to do any escaping, but it's intended to be human readable rather than parseable, so I'm not sure if we need to worry there. Jeff, any thoughts?
