Jeff King <peff@xxxxxxxx> writes: > ... if that is OK or not. My mental model has remained "it is OK to run > upload-pack on an untrusted repository", but it would make sense to get > input from folks who looked at this in the past, like Dscho, and/or to > reassess the threat model from scratch. > > In particular I did not follow all of the potential issues with linked > local files. Are we good now after other fixes (in which case this patch > is OK)? Are we good only for non-local clones (so this patch is OK only > combined with a fix for clone to check ownership for --local mode)? Or > are there still problems if an attacker controls the repo paths, in > which case upload-pack should remain conservative? Good questions.
