pvutov@xxxxxxx writes: > From: Petar Vutov <pvutov@xxxxxxx> > > To mitigate CVE-2019-19604, the capability to configure > `git submodule update` to execute custom commands was > removed in v2.20.2. > > The git-submodule documentation still mentions the now-unsupported > syntax, which is misleading. > > Remove the leftover documentation. The change during v2.20.2 timeperiod you have in mind may be e904deb8 (submodule: reject submodule.update = !command in .gitmodules, 2019-12-05). The key phrase is "in .gitmodules" as it did not forbid writing update command in the configuration. The pre-context lines of your patch (see below) say that the 'custom command' option and 'none' option are only available via the `submodule.<name>.update` configuration variable. IOW, this part of the documentation does not talk about the .gitmodules file---it talks about what you can say in the configuration file (which is under your local control). I think the existing text that came from fc01a5d2 (submodule update documentation: don't repeat ourselves, 2016-12-27) may be misleading, and may has room for improvement, but I do not think it is wrong per-se. If we remove it, there is nowhere else that teaches users !cmd can be set in their configuration files, or is there? Thanks. > Signed-off-by: Petar Vutov <pvutov@xxxxxxx> > --- > Documentation/git-submodule.txt | 6 ------ > 1 file changed, 6 deletions(-) > > diff --git a/Documentation/git-submodule.txt b/Documentation/git-submodule.txt > index 4d3ab6b9f9..b40ac72f75 100644 > --- a/Documentation/git-submodule.txt > +++ b/Documentation/git-submodule.txt > @@ -163,12 +163,6 @@ checked out in the submodule. > The following 'update' procedures are only available via the > `submodule.<name>.update` configuration variable: > > - custom command;; arbitrary shell command that takes a single > - argument (the sha1 of the commit recorded in the > - superproject) is executed. When `submodule.<name>.update` > - is set to '!command', the remainder after the exclamation mark > - is the custom command. > - > none;; the submodule is not updated. > > If the submodule is not yet initialized, and you just want to use the
