From: Jeff King <peff@peff.net>
To: Patrick Steinhardt <ps@pks.im>
Cc: git@vger.kernel.org, "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Junio C Hamano" <gitster@pobox.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
"Philip Oakley" <philipoakley@iee.email>
Subject: Re: [PATCH v2 0/2] config: allow specifying config entries via envvar pairs
Date: Tue, 1 Dec 2020 06:30:15 -0500 [thread overview]
Message-ID: <X8YpRyOcPTOztZ8r@coredump.intra.peff.net> (raw)
In-Reply-To: <X8YRTPPfkRqo23ll@ncase>
On Tue, Dec 01, 2020 at 10:47:56AM +0100, Patrick Steinhardt wrote:
> > +void git_config_push_env(const char *spec)
> > +{
> > + struct strbuf buf = STRBUF_INIT;
> > + const char *env_name;
> > + const char *env_value;
> > +
> > + env_name = strchr(spec, '=');
> > + if (!env_name)
> > + return; /* die or warn? */
> > + env_name++;
> > +
> > + env_value = getenv(env_name);
> > + if (!env_value)
> > + return; /* die or warn? */
> > +
> > + strbuf_add(&buf, spec, env_name - spec);
> > + strbuf_addstr(&buf, env_value);
> > + git_config_push_parameter(buf.buf);
> > + strbuf_release(&buf);
> > +}
>
> I realize that you say it's yet unpolished, but doesn't this have
> parsing issues? The first strchr(3P) probably needs to be a strrchr(3P)
> to correctly parse `includeIf./home/foo/=repo.path=MY_PATH_ENV`.
Without further changes to $GIT_CONFIG_PARAMETERS, there'd be little
point. The value we put in there has the same parsing issue when read
out of the environment (which we resolve by disallowing "=" in the
subsection, just as here).
I don't think it's actually that big of a deal in practice (it _could_
be an injection source, but it seems somewhat implausible that somebody
is generating complex config keys based on untrusted input). But if we
care, then we could pretty easily change the reading side to separately
quote the key/value in this case:
'foo.subsection=with=equals.bar'='value=with=equals'
And then doing strrchr() would make sense, with the explicitly
documented rule that the environment variable name cannot contain an
equals sign. (Doing a raw "git -c" wouldn't work unless we introduce
another option that lets you specify the key and value separately; that
might be worthwhile, too).
> But we'd also have to handle shell quoting for the user, don't we?
I'm not sure exactly what you mean here. We wouldn't typically see any
shell quoting from the user, since the shell would dequote it and give
us a NUL-terminated argv. Or if you meant we'd have to adjust the shell
quoting in $GIT_CONFIG_PARAMETERS, then see above.
-Peff
next prev parent reply other threads:[~2020-12-01 11:32 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 10:50 [PATCH v2 0/2] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2020-11-24 10:50 ` [PATCH v2 1/2] config: extract function to parse config pairs Patrick Steinhardt
2020-11-24 10:50 ` [PATCH v2 2/2] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2020-11-25 3:39 ` Junio C Hamano
2020-11-25 7:06 ` Patrick Steinhardt
2020-11-25 7:41 ` Junio C Hamano
2020-11-25 7:57 ` Patrick Steinhardt
2020-11-25 8:47 ` Ævar Arnfjörð Bjarmason
2020-11-25 9:00 ` Ævar Arnfjörð Bjarmason
2020-11-25 19:50 ` Junio C Hamano
2020-11-25 10:41 ` [PATCH v2 0/2] " Jeff King
2020-11-25 13:16 ` Patrick Steinhardt
2020-11-26 0:36 ` Jeff King
2020-11-25 20:28 ` Junio C Hamano
2020-11-25 22:47 ` brian m. carlson
2020-11-26 6:31 ` Patrick Steinhardt
2020-12-01 9:47 ` Patrick Steinhardt
2020-12-01 11:30 ` Jeff King [this message]
2020-12-01 9:55 ` [PATCH v3 0/4] " Patrick Steinhardt
2020-12-01 9:55 ` [PATCH v3 1/4] environment: make `getenv_safe()` non-static Patrick Steinhardt
2020-12-01 9:56 ` [PATCH v3 2/4] config: extract function to parse config pairs Patrick Steinhardt
2020-12-01 9:56 ` [PATCH v3 3/4] config: refactor parsing of GIT_CONFIG_PARAMETERS Patrick Steinhardt
2020-12-01 9:56 ` [PATCH v3 4/4] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2020-12-09 11:52 ` [PATCH v4 0/6] config: allow specifying config entries via env Patrick Steinhardt
2020-12-09 11:52 ` [PATCH v4 1/6] git: add `--super-prefix` to usage string Patrick Steinhardt
2020-12-09 11:52 ` [PATCH v4 2/6] config: add new way to pass config via `--config-env` Patrick Steinhardt
2020-12-09 14:40 ` Ævar Arnfjörð Bjarmason
2020-12-09 16:24 ` Jeff King
2020-12-11 13:24 ` Patrick Steinhardt
2020-12-11 14:21 ` Jeff King
2020-12-11 14:54 ` Patrick Steinhardt
2020-12-11 16:10 ` Jeff King
2020-12-09 16:10 ` Jeff King
2020-12-09 16:12 ` [PATCH 1/3] quote: make sq_dequote_step() a public function Jeff King
2020-12-09 16:17 ` [PATCH 2/3] config: parse more robust format in GIT_CONFIG_PARAMETERS Jeff King
2020-12-09 16:20 ` [PATCH 3/3] config: store "git -c" variables using more robust format Jeff King
2020-12-09 16:34 ` Jeff King
2020-12-10 20:55 ` Ævar Arnfjörð Bjarmason
2020-12-10 21:49 ` Junio C Hamano
2020-12-11 13:21 ` Jeff King
2020-12-10 0:00 ` [PATCH v4 2/6] config: add new way to pass config via `--config-env` Junio C Hamano
2020-12-10 0:09 ` Jeff King
2020-12-10 0:57 ` Junio C Hamano
2020-12-11 13:24 ` Patrick Steinhardt
2020-12-11 14:20 ` Jeff King
2020-12-09 11:52 ` [PATCH v4 3/6] environment: make `getenv_safe()` non-static Patrick Steinhardt
2020-12-09 11:52 ` [PATCH v4 4/6] config: extract function to parse config pairs Patrick Steinhardt
2020-12-09 13:12 ` Ævar Arnfjörð Bjarmason
2020-12-09 11:52 ` [PATCH v4 5/6] config: refactor parsing of GIT_CONFIG_PARAMETERS Patrick Steinhardt
2020-12-09 11:52 ` [PATCH v4 6/6] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2020-12-09 15:29 ` [PATCH v4 0/6] config: allow specifying config entries via env Ævar Arnfjörð Bjarmason
2020-12-11 13:35 ` Patrick Steinhardt
2020-12-11 14:27 ` Jeff King
2020-12-11 14:42 ` Jeff King
2020-12-11 14:58 ` Patrick Steinhardt
2020-12-11 14:47 ` Patrick Steinhardt
2020-12-11 15:21 ` Ævar Arnfjörð Bjarmason
2020-12-11 16:02 ` Jeff King
2020-12-16 7:52 ` [PATCH v5 0/8] " Patrick Steinhardt
2020-12-16 7:52 ` [PATCH v5 1/8] git: add `--super-prefix` to usage string Patrick Steinhardt
2020-12-16 7:52 ` [PATCH v5 2/8] config: add new way to pass config via `--config-env` Patrick Steinhardt
2020-12-23 21:35 ` Junio C Hamano
2020-12-16 7:54 ` [PATCH v5 4/8] config: extract function to parse config pairs Patrick Steinhardt
2020-12-16 7:54 ` [PATCH v5 7/8] environment: make `getenv_safe()` a public function Patrick Steinhardt
2020-12-16 7:54 ` [PATCH v5 8/8] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2020-12-23 21:14 ` Junio C Hamano
2020-12-23 21:55 ` Junio C Hamano
2021-01-06 10:28 ` Patrick Steinhardt
2021-01-06 21:07 ` Junio C Hamano
2020-12-16 7:56 ` [PATCH v5 3/8] quote: make sq_dequote_step() a public function Patrick Steinhardt
2020-12-16 7:56 ` [PATCH v5 5/8] config: store "git -c" variables using more robust format Patrick Steinhardt
2020-12-16 7:57 ` [PATCH v5 6/8] config: parse more robust format in GIT_CONFIG_PARAMETERS Patrick Steinhardt
2020-12-16 20:01 ` Phillip Wood
2021-01-07 6:36 ` [PATCH v6 0/8] config: allow specifying config entries via env Patrick Steinhardt
2021-01-07 6:36 ` [PATCH v6 1/8] git: add `--super-prefix` to usage string Patrick Steinhardt
2021-01-07 6:36 ` [PATCH v6 2/8] config: add new way to pass config via `--config-env` Patrick Steinhardt
2021-01-10 20:29 ` Simon Ruderich
2021-01-11 0:29 ` Junio C Hamano
2021-01-11 8:24 ` Patrick Steinhardt
2021-01-07 6:36 ` [PATCH v6 3/8] quote: make sq_dequote_step() a public function Patrick Steinhardt
2021-01-07 6:37 ` [PATCH v6 4/8] config: extract function to parse config pairs Patrick Steinhardt
2021-01-07 6:37 ` [PATCH v6 5/8] config: store "git -c" variables using more robust format Patrick Steinhardt
2021-01-07 6:37 ` [PATCH v6 6/8] config: parse more robust format in GIT_CONFIG_PARAMETERS Patrick Steinhardt
2021-01-07 6:37 ` [PATCH v6 7/8] environment: make `getenv_safe()` a public function Patrick Steinhardt
2021-01-07 6:37 ` [PATCH v6 8/8] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2021-01-11 8:36 ` [PATCH v7 0/8] " Patrick Steinhardt
2021-01-11 8:36 ` [PATCH v7 1/8] git: add `--super-prefix` to usage string Patrick Steinhardt
2021-01-11 8:36 ` [PATCH v7 2/8] config: add new way to pass config via `--config-env` Patrick Steinhardt
2021-01-11 22:34 ` Junio C Hamano
2021-01-11 8:36 ` [PATCH v7 3/8] quote: make sq_dequote_step() a public function Patrick Steinhardt
2021-01-11 8:36 ` [PATCH v7 4/8] config: extract function to parse config pairs Patrick Steinhardt
2021-01-11 8:37 ` [PATCH v7 5/8] config: store "git -c" variables using more robust format Patrick Steinhardt
2021-01-11 8:37 ` [PATCH v7 6/8] config: parse more robust format in GIT_CONFIG_PARAMETERS Patrick Steinhardt
2021-01-11 8:37 ` [PATCH v7 7/8] environment: make `getenv_safe()` a public function Patrick Steinhardt
2021-01-11 8:37 ` [PATCH v7 8/8] config: allow specifying config entries via envvar pairs Patrick Steinhardt
2021-01-12 12:26 ` [PATCH v8 0/8] " Patrick Steinhardt
2021-01-12 12:26 ` [PATCH v8 1/8] git: add `--super-prefix` to usage string Patrick Steinhardt
2021-01-12 12:26 ` [PATCH v8 2/8] config: add new way to pass config via `--config-env` Patrick Steinhardt
2021-04-16 15:40 ` Ævar Arnfjörð Bjarmason
2021-04-17 8:38 ` Jeff King
2021-04-19 15:28 ` Patrick Steinhardt
2021-04-20 11:01 ` Ævar Arnfjörð Bjarmason
2021-04-20 10:59 ` Ævar Arnfjörð Bjarmason
2021-04-23 10:05 ` Jeff King
2021-05-19 11:36 ` Ævar Arnfjörð Bjarmason
2021-01-12 12:26 ` [PATCH v8 3/8] quote: make sq_dequote_step() a public function Patrick Steinhardt
2021-01-12 12:26 ` [PATCH v8 4/8] config: extract function to parse config pairs Patrick Steinhardt
2021-01-12 12:27 ` [PATCH v8 5/8] config: store "git -c" variables using more robust format Patrick Steinhardt
2021-01-15 19:16 ` Jeff King
2021-01-20 6:29 ` Patrick Steinhardt
2021-01-20 6:55 ` Junio C Hamano
2021-01-20 7:42 ` Patrick Steinhardt
2021-01-20 22:28 ` Junio C Hamano
2021-01-12 12:27 ` [PATCH v8 6/8] config: parse more robust format in GIT_CONFIG_PARAMETERS Patrick Steinhardt
2021-01-12 12:27 ` [PATCH v8 7/8] environment: make `getenv_safe()` a public function Patrick Steinhardt
2021-01-12 12:27 ` [PATCH v8 8/8] config: allow specifying config entries via envvar pairs Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X8YpRyOcPTOztZ8r@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=philipoakley@iee.email \
--cc=ps@pks.im \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).