On Thu, Feb 22, 2018 at 06:05:15PM -0500, Jeff King wrote: > On Thu, Feb 22, 2018 at 02:42:35PM -0800, Jonathan Nieder wrote: > > > > I couldn't quite get it to work, but I think it's because I'm doing > > > something wrong with the submodules. But I also think this attack would > > > _have_ to be done over ssh, because on a local system the submodule > > > clone would a hard-link rather than a real fetch. > > > > What happens if the submodule URL starts with file://? > > Ah, that would do it. Or I guess any follow-up fetch. > > I'm still having trouble convincing submodules to fetch _just_ the > desired sha1, though. It always just fetches everything. I know there's > a way that this kicks in (that's why we have things like > allowReachableSHA1InWant), but I'm not sufficiently well-versed in > submodules to know how to trigger it.
<facepalm> This won't work anyway. I was right when I said that we don't redirect stderr for rev-list, but of course it's stdout that determines the pager behavior. So I don't think you could get rev-list to trigger a pager here. I don't think there's currently any vulnerability, but it's more to do with luck than any amount of carefulness on our part. -Peff
