summaryrefslogtreecommitdiff
path: root/t/t4013/diff.diff_--raw_--no-abbrev_initial
diff options
context:
space:
mode:
authorLibravatar Jonathan Nieder <jrnieder@gmail.com>2018-03-28 13:33:03 -0700
committerLibravatar Junio C Hamano <gitster@pobox.com>2018-03-29 15:39:31 -0700
commitc7620bd0f35dddf8b8519da6fbf97014f46d0710 (patch)
treef13a1b9f57d7530ec55e33b604b895ac74c35e2f /t/t4013/diff.diff_--raw_--no-abbrev_initial
parentunpack-trees: release oid_array after use in check_updates() (diff)
downloadtgif-c7620bd0f35dddf8b8519da6fbf97014f46d0710.tar.xz
upload-pack: disable object filtering when disabled by config
When upload-pack gained partial clone support (v2.17.0-rc0~132^2~12, 2017-12-08), it was guarded by the uploadpack.allowFilter config item to allow server operators to control when they start supporting it. That config item didn't go far enough, though: it controls whether the 'filter' capability is advertised, but if a (custom) client ignores the capability advertisement and passes a filter specification anyway, the server would handle that despite allowFilter being false. This is particularly significant if a security bug is discovered in this new experimental partial clone code. Installations without uploadpack.allowFilter ought not to be affected since they don't intend to support partial clone, but they would be swept up into being vulnerable. Simplify and limit the attack surface by making uploadpack.allowFilter disable the feature, not just the advertisement of it. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/t4013/diff.diff_--raw_--no-abbrev_initial')
0 files changed, 0 insertions, 0 deletions