On Thu, Jul 01, 2021 at 12:43:43PM -0400, Jeff King wrote: > I dunno. Maybe the solution is for ls_refs() to just do a separate > config call to pick up the operation-specific bits, like: By the way, I think both currently and after the patch I showed, ls_refs() has the same "bug" that we fixed for upload_pack_v2() a while ago: in a v2 world, a client could request "ls-refs" over and over, and each time we'd load the hiderefs config, appending duplicate config to the list each time. In practice this doesn't happen because unlike "fetch", which clients must do many rounds of, clients usually issue only a single ls-refs. So it may not be worth worrying too much about. I guess a malicious client could convince us to very slowly allocate an arbitrary amount of memory. -Peff
