Web lists-archives.com

Re: [PATCH v2] list-objects-filter: disable 'sparse:path' filters




On Sat, May 25, 2019 at 04:28:34PM +0200, Christian Couder wrote:

> If someone wants to use as a filter a sparse file that is in the
> repository, something like "--filter=sparse:oid=<ref>:<path>"
> already works.
> 
> So 'sparse:path' is only interesting if the sparse file is not in
> the repository. In this case though the current implementation has
> a big security issue, as it makes it possible to ask the server to
> read any file, like for example /etc/password, and to explore the
> filesystem, as well as individual lines of files.
> 
> If someone is interested in using a sparse file that is not in the
> repository as a filter, then at the minimum a config option, such
> as "uploadpack.sparsePathFilter", should be implemented first to
> restrict the directory from which the files specified by
> 'sparse:path' can be read.
> 
> For now though, let's just disable 'sparse:path' filters.

Thanks for picking this up. The patch looks fine to me (versus just
disabling it for remote invocations) assuming we are OK with the
possible regression. I suppose cooking this in 'next' for a while is one
way we might find out if anybody yells loudly.

-Peff