On Thu, Jun 30, 2022 at 06:13:56PM +0000, Glen Choo via GitGitGadget wrote: > @@ -380,6 +381,18 @@ Most configuration options are respected regardless of the scope it is > defined in, but some options are only respected in certain scopes. See the > option's documentation for the full details. > > +Protected configuration > +~~~~~~~~~~~~~~~~~~~~~~~ > + > +Protected configuration refers to the 'system', 'global', and 'command' scopes. > +For security reasons, certain options are only respected when they are > +specified in protected configuration, and ignored otherwise. > + > +Git treats these scopes as if they are controlled by the user or a trusted > +administrator. This is because an attacker who controls these scopes can do > +substantial harm without using Git, so it is assumed that the user's environment > +protects these scopes against attackers. > + I think this description is a good starting point, but I think I would have liked to see some more from the commit description make it into the documentation here. One thing that I didn't see mentioned in either is that the list of protected configuration is far from exhaustive. There are dozens upon dozens of configuration values that Git will happily execute as a subprocess (core.editor, core.pager, core.alternateRefsCommand, to name just a few). I don't think we should try and enumerate every possible path from configuration to command execution. But it is worth noting in the documentation that the list of configuration values which are only read in the protected context is non-exhaustive and best-effort only. Thanks, Taylor