diff options
author | Christian Couder <christian.couder@gmail.com> | 2019-05-29 14:44:32 +0200 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2019-05-29 11:05:34 -0700 |
commit | e693237e2ba27b6129e8af7f6a794f5c2fbd26f3 (patch) | |
tree | 2317223e6228a03a1b0b9fd4ecf5dc51a5eb5fbb /contrib | |
parent | Git 2.22-rc1 (diff) | |
download | tgif-e693237e2ba27b6129e8af7f6a794f5c2fbd26f3.tar.xz |
list-objects-filter: disable 'sparse:path' filters
If someone wants to use as a filter a sparse file that is in the
repository, something like "--filter=sparse:oid=<ref>:<path>"
already works.
So 'sparse:path' is only interesting if the sparse file is not in
the repository. In this case though the current implementation has
a big security issue, as it makes it possible to ask the server to
read any file, like for example /etc/password, and to explore the
filesystem, as well as individual lines of files.
If someone is interested in using a sparse file that is not in the
repository as a filter, then at the minimum a config option, such
as "uploadpack.sparsePathFilter", should be implemented first to
restrict the directory from which the files specified by
'sparse:path' can be read.
For now though, let's just disable 'sparse:path' filters.
Helped-by: Matthew DeVore <matvore@google.com>
Helped-by: Jeff Hostetler <git@jeffhostetler.com>
Signed-off-by: Christian Couder <chriscool@tuxfamily.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/completion/git-completion.bash | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash index 3eefbabdb1..9f71bcde96 100644 --- a/contrib/completion/git-completion.bash +++ b/contrib/completion/git-completion.bash @@ -1536,7 +1536,7 @@ _git_fetch () return ;; --filter=*) - __gitcomp "blob:none blob:limit= sparse:oid= sparse:path=" "" "${cur##--filter=}" + __gitcomp "blob:none blob:limit= sparse:oid=" "" "${cur##--filter=}" return ;; --*) |