On Sat, Feb 28, 2009 at 04:03:41PM -0800, Junio C Hamano wrote:
> +/*
> + * Notice any command line argument that we may not want to invoke
> + * "git init" with when we are doing this remotely, and reject the
> + * request.
> + */
> +static int forbidden_arg(const char *arg)
> +{
> + if (!prefixcmp(arg, "--shared=") ||
> + !strcmp(arg, "--shared") ||
> + !strcmp(arg, "--bare"))
> + return 0;
> + return 1;
> +}
I started this mail to complain that this function was "disallow known
bad" instead of "allow known good". But then after reading it carefully
three times, I see that it is in fact "not allow known good". Can we
make it "allowed_arg" to prevent double negation?
> + /*
> + * NEEDSWORK: I do not currently think it is worth it,
> + * but this might want to set up and use the sideband
> + * to capture and send output from the child back to
> + * the requestor. At least this comment needs to be removed
> + * once we make the decision.
> + */
> + child.stdout_to_stderr = 1;
I guess there is a potential information leak to say "directory does not
exist" versus "permission denied". Stopping such leaks often ends up
creating more harm (in confused users who don't know why it failed) than
good, but I think the fetch protocol is intentionally quiet here.
...
Actually, I just checked. Over ssh, you get:
$ git fetch host:/nonexistent
fatal: '/foo': unable to chdir or not a git archive
fatal: The remote end hung up unexpectedly
But over git://, you get:
$ git fetch git://host/nonexistent
fatal: The remote end hung up unexpectedly
which I think is just because ssh relays stderr but the git daemon does
not.
So we are leaking the information to people authenticated via ssh (who
still might not be trusted or have full shell access, but are more
likely to be), but not to the whole world.
> + /*
> + * NEEDSWORK: we might want to distinguish various
> + * error codes from run_command() and return different
> + * messages back. I am too lazy to be bothered.
> + */
> + if (run_command(&child))
> + errmsg = "bad";
I think this somewhat falls into the same category as above (though
perhaps the information is less interesting).
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
