"Victoria Dye via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > From: Victoria Dye <vdye@xxxxxxxxxx> > > Update the validation of "curl URL" submodule URLs (i.e. those that specify > an "http[s]" or "ftp[s]" protocol) in 'check_submodule_url()' to catch more > invalid URLs. The existing validation using 'credential_from_url_gently()' > parses certain URLs incorrectly, leading to invalid submodule URLs passing > 'git fsck' checks. Conversely, 'url_normalize()' - used to validate remote > URLs in 'remote_get()' - correctly identifies the invalid URLs missed by > 'credential_from_url_gently()'. > > To catch more invalid cases, replace 'credential_from_url_gently()' with > 'url_normalize()' followed by a 'url_decode()' and a check for newlines > (mirroring 'check_url_component()' in the 'credential_from_url_gently()' > validation). Thanks. Left hand and right hand checking the same thing in different ways and coming up with different result is never a happy situation. Making sure we consistently use the same definition of what the valid URLs are is a very welcome thing to do, of course. > -test_expect_failure 'check urls' ' > +test_expect_success 'check urls' ' > cat >expect <<-\EOF && > ./bar/baz/foo.git > https://example.com/foo.git It is a bit unfortunate that from here we cannot tell which bogus URLs in this test that were incorrectly accepted are now rejected. Among the many bogus URLs in the input, we used to allow http://example.com:test/foo.git (we do not accept non-numeric representation of port numbers, so http://example.com:http/foo.git would also be rejected), but with this change, it is now rejected. All the other bogus ones are rejected just as before this change. Will queue. Thanks.
