Re: pathspec: problems with too long command line
- Date: Wed, 21 Nov 2018 21:56:11 +0100
- From: Marc Strapetz <marc.strapetz@xxxxxxxxxxx>
- Subject: Re: pathspec: problems with too long command line
On 21.11.2018 14:37, Junio C Hamano wrote:
Jeff King <peff@xxxxxxxx> writes:
On Wed, Nov 21, 2018 at 10:23:34AM +0100, Marc Strapetz wrote:
From our GUI client we are invoking git operations on a possibly large set
of files. ...
command line length, especially on Windows  and OSX . To workaround
this problem we are currently splitting up such operations by invoking
multiple git commands. This works well for some commands (like add), but
doesn't work well for others (like commit).
Quite a few commands take --stdin, which can be used to send pathspecs
(and often other stuff) without size limits. I don't think either
"commit" or "add" does, but that might be another route.
A GUI client, like your server, should not be using end-user facing
Porcelain commands like "add" and "commit" anyway. In the standard
"update-index" followed by "write-tree" followed-by "commit-tree"
followed by "update-ref" sequence, the only thing that needs to take
pathspec is the update-index step, and it already does take --stdin.
In our case it's a desktop client. We didn't consider using plumbing
commands in general but only in cases where no appropriate high level
commands exist. One reason for this decision was definitely a lack of
our understanding in the beginning (which is no excuse anymore :).
Another reason is that our users have quite frequently requested to see
invoked Git commands, for their own understanding and learning. I think
this argument remains valid. A third reason is to reduce process
invocations. Although we are quite experienced Git users now, one final
reason may be that it's still desirable to rely on additional validation
in high level commands.
Summed up, I would prefer to find a solution which allows to stick with
"git add"s, "git commit"s, "git checkout"s, ... and providing
--stdin-paths alternatively to <pathspec> would be a good solution from
a GUI client developer's perspective. I'm probably too biased to see
whether it will be beneficial to standalone Git, too?
I'm slightly nervous at a pathspec that starts reading arbitrary files,
because I suspect there may be interesting ways to abuse it for services
which expose Git. E.g., if I have a web service which can show the
history of a file, I might take a $file parameter from the client and
run "git rev-list -- $file" (handling shell quoting, of course). That's
OK now, but with the proposed pathspec magic, a malicious user could ask
for ":(from-file=/etc/passwd)" or whatever.
In any case, I share your gut feeling that this should not be a
magic pathspec, but should instead be "--stdin[-paths]", for command
line parsing's sanity. Catchng random strings that begin with
double dash as fishy is much simpler and more robust than having to
tell if a string that is a risky or a benign magic pathspec.
These are interesting points. Then --stdin[-paths] is definitely the