From: Jeff King <peff@peff.net>
To: Jacob Keller <jacob.keller@gmail.com>
Cc: Stefan Beller <sbeller@google.com>,
Lars Schneider <larsxschneider@gmail.com>,
Git Users <git@vger.kernel.org>
Subject: Re: [RFC] How to pass Git config command line instructions to Submodule commands?
Date: Mon, 25 Apr 2016 17:27:09 -0400 [thread overview]
Message-ID: <20160425212709.GB7636@sigill.intra.peff.net> (raw)
In-Reply-To: <20160425212449.GA7636@sigill.intra.peff.net>
On Mon, Apr 25, 2016 at 05:24:50PM -0400, Jeff King wrote:
> It does mean that somebody would be stuck who really wanted to run the
> smudge filter in their local repo, but for some reason not in the
> subrepos. I am trying to think of a case in which that might be
> security-relevant if you didn't trust the sub-repos[1]. But I really
> don't see it. The filter is arbitrary code, but that's specified by the
> user; we're just feeding it possibly untrusted blobs.
I forgot my [1], which was going to be: I wonder if there are any
interesting things you can do by feeding git-lfs untrusted content
(e.g., convincing it to hit arbitrary URLs). But I don't think so. The
URL is derived from the remote, and the LFS pointer files just contain
hashes.
That's all orthogonal to this thread anyway, though. People using LFS
generally have the config in ~/.gitconfig, so they run it for all repos,
trusted and untrusted.
-Peff
next prev parent reply other threads:[~2016-04-25 21:27 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-25 10:39 [RFC] How to pass Git config command line instructions to Submodule commands? Lars Schneider
2016-04-25 17:02 ` Stefan Beller
2016-04-25 20:59 ` Jacob Keller
2016-04-25 21:24 ` Jeff King
2016-04-25 21:27 ` Jeff King [this message]
2016-04-28 11:06 ` Lars Schneider
2016-04-28 11:25 ` Jeff King
2016-04-28 12:05 ` Jeff King
2016-04-28 12:17 ` Jeff King
2016-04-28 13:35 ` [PATCH 0/5] fixes for sanitized submodule config Jeff King
2016-04-28 13:36 ` [PATCH 1/5] t5550: fix typo in $HTTPD_URL Jeff King
2016-04-28 15:24 ` Jacob Keller
2016-04-28 15:25 ` Jeff King
2016-04-28 15:26 ` Jacob Keller
2016-04-28 13:37 ` [PATCH 2/5] t5550: break submodule config test into multiple sub-tests Jeff King
2016-04-28 15:21 ` Stefan Beller
2016-04-28 15:25 ` Jeff King
2016-04-28 15:25 ` Jacob Keller
2016-04-28 13:37 ` [PATCH 3/5] submodule: export sanitized GIT_CONFIG_PARAMETERS Jeff King
2016-04-28 15:25 ` Stefan Beller
2016-04-28 15:28 ` Jeff King
2016-04-28 15:35 ` Stefan Beller
2016-04-28 16:51 ` Johannes Schindelin
2016-04-28 15:28 ` Jacob Keller
2016-04-28 15:36 ` Jeff King
2016-04-28 15:40 ` Jacob Keller
2016-04-28 13:38 ` [PATCH 4/5] submodule--helper: move config-sanitizing to submodule.c Jeff King
2016-04-28 15:30 ` Stefan Beller
2016-04-28 15:37 ` Jeff King
2016-04-28 16:28 ` Lars Schneider
2016-04-28 13:39 ` [PATCH 5/5] submodule: use prepare_submodule_repo_env consistently Jeff King
2016-04-28 14:02 ` [PATCH 0/5] fixes for sanitized submodule config Johannes Schindelin
2016-04-28 15:56 ` Stefan Beller
2016-04-28 16:03 ` Jacob Keller
2016-04-28 12:05 ` [RFC] How to pass Git config command line instructions to Submodule commands? Lars Schneider
2016-04-28 13:40 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160425212709.GB7636@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=jacob.keller@gmail.com \
--cc=larsxschneider@gmail.com \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).