On Wed, Jul 31, 2024 at 09:23:49AM -0700, Junio C Hamano wrote: > > And then upload-pack > > could be free to drop the ownership check. Certainly a lot of people > > have complained about it (I had actually thought we reverted it in > > v2.45.2, but that was just the extra hooks defense-in-depth; so again, I > > may be getting confused about the extra value of the enter_repo() > > ownership check that came at the same time). > > As enter_repo() is about the protocol driver thing and not about > normal users working inside a repository, calls to it appear only in > receive-pack, upload-pack, upload-archive, http-backend, and daemon. > > Among them, upload-pack is the only thing we promise that is safe to > work even in a hostile repository? If we push into a repository > over the local transport, we would trigger post-receive hook as > ourselves, which we would probably not want. The same story goes > for daemon, http-backend, and upload-archive. Yes, upload-pack is the only safe one. > So we probably need to add another axis to the "strict" parameter > enter_repo() takes to selectively disable the ownership checks only > for upload-pack, or something like that. Agreed. > We may want to restrict "tar.<format>.command" only to protected > configuration and then we may be able to loosen the ownership check > for the upload-archive command. Yes, though I don't now how valuable that is in practice (versus the regression for folks who have a custom tar.*.command in their local-repo config). -Peff
