| commit | 33cfccbbf35a56e190b79bdec5c85457c952a021 | |
| author | Jeff King <peff@peff.net> | |
| Wed, 16 Sep 2015 17:13:12 +0000 (16 13:13 -0400) | ||
| committer | Junio C Hamano <gitster@pobox.com> | |
| Wed, 23 Sep 2015 18:35:48 +0000 (23 11:35 -0700) | ||
| tree | 1b94b1eff66ebbc258722f59b60ca64eac0c6de3 | treesnapshot (tar.gz zip) |
| parent | a5adaced2e13c135d5d9cc65be9eb95aa3bacedf | commitdiff |
submodule: allow only certain protocols for submodule fetches
Some protocols (like git-remote-ext) can execute arbitrary
code found in the URL. The URLs that submodules use may come
from arbitrary sources (e.g., .gitmodules files in a remote
repository). Let's restrict submodules to fetching from a
known-good subset of protocols.
Note that we apply this restriction to all submodule
commands, whether the URL comes from .gitmodules or not.
This is more restrictive than we need to be; for example, in
the tests we run:
git submodule add ext::...
which should be trusted, as the URL comes directly from the
command line provided by the user. But doing it this way is
simpler, and makes it much less likely that we would miss a
case. And since such protocols should be an exception
(especially because nobody who clones from them will be able
to update the submodules!), it's not likely to inconvenience
anyone in practice.
Reported-by: Blake Burkhart <bburky@bburky.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Some protocols (like git-remote-ext) can execute arbitrary
code found in the URL. The URLs that submodules use may come
from arbitrary sources (e.g., .gitmodules files in a remote
repository). Let's restrict submodules to fetching from a
known-good subset of protocols.
Note that we apply this restriction to all submodule
commands, whether the URL comes from .gitmodules or not.
This is more restrictive than we need to be; for example, in
the tests we run:
git submodule add ext::...
which should be trusted, as the URL comes directly from the
command line provided by the user. But doing it this way is
simpler, and makes it much less likely that we would miss a
case. And since such protocols should be an exception
(especially because nobody who clones from them will be able
to update the submodules!), it's not likely to inconvenience
anyone in practice.
Reported-by: Blake Burkhart <bburky@bburky.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| git-submodule.sh | diffblobblamehistory | |
| t/t5815-submodule-protos.sh | [new file with mode: 0755] | blob |