On Sun, 2018-02-11 at 14:09 +0100, Jakub Wilk wrote: > For Git (>= 2.12), you can set GIT_PROTOCOL_FROM_USER=0 in > environment. > Quoting git(1): "this is useful [...] for programs which feed > potentially-untrusted URLS to git commands".
Ah, I missed that addition. > If you want to support older versions of Git, I guess you should mimic > what GIT_PROTOCOL_FROM_USER=0 does by default, i.e. whitelist known-good > protocols. I think I will check the git version and apply the manual whitelisting only for versions of git older than 2.12. > I think printing the whole suspicious URL would make sense. OK. > I haven't heard about it. OK, pushed my patch for that. http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=f8b5baf18928544ce5c3575641fe852a86e93254 I also made webcheckout prefer https: http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=57b5fa2b85c6285c2f88de242016fdbeb112b91e -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
