summaryrefslogtreecommitdiff
path: root/Documentation/giteveryday.txt
diff options
context:
space:
mode:
authorLibravatar Christian Couder <christian.couder@gmail.com>2019-05-29 14:44:32 +0200
committerLibravatar Junio C Hamano <gitster@pobox.com>2019-05-29 11:05:34 -0700
commite693237e2ba27b6129e8af7f6a794f5c2fbd26f3 (patch)
tree2317223e6228a03a1b0b9fd4ecf5dc51a5eb5fbb /Documentation/giteveryday.txt
parentGit 2.22-rc1 (diff)
downloadtgif-e693237e2ba27b6129e8af7f6a794f5c2fbd26f3.tar.xz
list-objects-filter: disable 'sparse:path' filters
If someone wants to use as a filter a sparse file that is in the repository, something like "--filter=sparse:oid=<ref>:<path>" already works. So 'sparse:path' is only interesting if the sparse file is not in the repository. In this case though the current implementation has a big security issue, as it makes it possible to ask the server to read any file, like for example /etc/password, and to explore the filesystem, as well as individual lines of files. If someone is interested in using a sparse file that is not in the repository as a filter, then at the minimum a config option, such as "uploadpack.sparsePathFilter", should be implemented first to restrict the directory from which the files specified by 'sparse:path' can be read. For now though, let's just disable 'sparse:path' filters. Helped-by: Matthew DeVore <matvore@google.com> Helped-by: Jeff Hostetler <git@jeffhostetler.com> Signed-off-by: Christian Couder <chriscool@tuxfamily.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation/giteveryday.txt')
0 files changed, 0 insertions, 0 deletions