diff options
| author | Jeff King <peff@peff.net> | 2019-08-29 19:08:42 (GMT) |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-12-04 12:20:04 (GMT) |
| commit | a52ed76142f6e8d993bb4c50938a408966eb2b7c (patch) | |
| tree | 9603df337bf43eec5d4998d44f5c3293661950d2 /fast-import.c | |
| parent | 68061e3470210703cb15594194718d35094afdc0 (diff) | |
| download | git-a52ed76142f6e8d993bb4c50938a408966eb2b7c.zip git-a52ed76142f6e8d993bb4c50938a408966eb2b7c.tar.gz git-a52ed76142f6e8d993bb4c50938a408966eb2b7c.tar.bz2 | |
fast-import: disallow "feature import-marks" by default
As with export-marks in the previous commit, import-marks can access the
filesystem. This is significantly less dangerous than export-marks
because it only involves reading from arbitrary paths, rather than
writing them. However, it could still be surprising and have security
implications (e.g., exfiltrating data from a service that accepts
fast-import streams).
Let's lump it (and its "if-exists" counterpart) in with export-marks,
and enable the in-stream version only if --allow-unsafe-features is set.
Signed-off-by: Jeff King <peff@peff.net>
Diffstat (limited to 'fast-import.c')
| -rw-r--r-- | fast-import.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fast-import.c b/fast-import.c index 967077a..93c3838 100644 --- a/fast-import.c +++ b/fast-import.c @@ -3344,8 +3344,10 @@ static int parse_one_feature(const char *feature, int from_stream) if (skip_prefix(feature, "date-format=", &arg)) { option_date_format(arg); } else if (skip_prefix(feature, "import-marks=", &arg)) { + check_unsafe_feature("import-marks", from_stream); option_import_marks(arg, from_stream, 0); } else if (skip_prefix(feature, "import-marks-if-exists=", &arg)) { + check_unsafe_feature("import-marks-if-exists", from_stream); option_import_marks(arg, from_stream, 1); } else if (skip_prefix(feature, "export-marks=", &arg)) { check_unsafe_feature(feature, from_stream); |