diff options
| author |  Scott J. Goldman <scottjg@github.com> | 2014-02-28 05:04:19 -0500 |
|---|---|---|
| committer |  Junio C Hamano <gitster@pobox.com> | 2014-02-28 09:55:37 -0800 |
| commit | 7671b63211712e5163ed46d4c93d0b75680c886c (patch) | |
| tree | 7de8871a0ebc22a47a81410fb6e1e34fe326f879 /Documentation | |
| parent | docs: clarify remote restrictions for git-upload-archive (diff) | |
| download | tgif-7671b63211712e5163ed46d4c93d0b75680c886c.tar.xz | |
add uploadarchive.allowUnreachable option
In commit ee27ca4, we started restricting remote git-archive
invocations to only accessing reachable commits. This
matches what upload-pack allows, but does restrict some
useful cases (e.g., HEAD:foo). We loosened this in 0f544ee,
which allows `foo:bar` as long as `foo` is a ref tip.
However, that still doesn't allow many useful things, like:
1. Commits accessible from a ref, like `foo^:bar`, which
are reachable
2. Arbitrary sha1s, even if they are reachable.
We can do a full object-reachability check for these cases,
but it can be quite expensive if the client has sent us the
sha1 of a tree; we have to visit every sub-tree of every
commit in the worst case.
Let's instead give site admins an escape hatch, in case they
prefer the more liberal behavior. For many sites, the full
object database is public anyway (e.g., if you allow dumb
walker access), or the site admin may simply decide the
security/convenience tradeoff is not worth it.
This patch adds a new config option to disable the
restrictions added in ee27ca4. It defaults to off, meaning
there is no change in behavior by default.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/config.txt | 7 | ||||
| -rw-r--r-- | Documentation/git-upload-archive.txt | 6 |
2 files changed, 13 insertions, 0 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt index 5f4d7939ed..64b69eeb6b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -2291,6 +2291,13 @@ transfer.unpackLimit:: not set, the value of this variable is used instead. The default value is 100. +uploadarchive.allowUnreachable:: + If true, allow clients to use `git archive --remote` to request + any tree, whether reachable from the ref tips or not. See the + discussion in the `SECURITY` section of + linkgit:git-upload-archive[1] for more details. Defaults to + `false`. + uploadpack.hiderefs:: String(s) `upload-pack` uses to decide which refs to omit from its initial advertisement. Use more than one diff --git a/Documentation/git-upload-archive.txt b/Documentation/git-upload-archive.txt index 8ae65d80c4..cbef61ba88 100644 --- a/Documentation/git-upload-archive.txt +++ b/Documentation/git-upload-archive.txt @@ -46,6 +46,12 @@ implications. These rules are subject to change in future versions of git, and the server accessed by `git archive --remote` may or may not follow these exact rules. +If the config option `uploadArchive.allowUnreachable` is true, these +rules are ignored, and clients may use arbitrary sha1 expressions. +This is useful if you do not care about the privacy of unreachable +objects, or if your object database is already publicly available for +access via non-smart-http. + OPTIONS ------- <directory>:: |