From: Petar Vutov <pvutov@imap.cc>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] doc: remove mentions of .gitmodules !command syntax
Date: Wed, 12 Jul 2023 19:30:50 +0200 [thread overview]
Message-ID: <d775437e-7fa3-189b-a1c3-4fd358dd9768@imap.cc> (raw)
In-Reply-To: <xmqqleflt75z.fsf@gitster.g>
On 7/12/23 18:40, Junio C Hamano wrote:
> pvutov@imap.cc writes:
>
>> From: Petar Vutov <pvutov@imap.cc>
>>
>> To mitigate CVE-2019-19604, the capability to configure
>> `git submodule update` to execute custom commands was
>> removed in v2.20.2.
>>
>> The git-submodule documentation still mentions the now-unsupported
>> syntax, which is misleading.
>>
>> Remove the leftover documentation.
>
> The change during v2.20.2 timeperiod you have in mind may be
> e904deb8 (submodule: reject submodule.update = !command in
> .gitmodules, 2019-12-05). The key phrase is "in .gitmodules"
> as it did not forbid writing update command in the configuration.
>
> The pre-context lines of your patch (see below) say that the 'custom
> command' option and 'none' option are only available via the
> `submodule.<name>.update` configuration variable. IOW, this part of
> the documentation does not talk about the .gitmodules file---it
> talks about what you can say in the configuration file (which is
> under your local control).
>
> I think the existing text that came from fc01a5d2 (submodule update
> documentation: don't repeat ourselves, 2016-12-27) may be
> misleading, and may has room for improvement, but I do not think it
> is wrong per-se. If we remove it, there is nowhere else that teaches
> users !cmd can be set in their configuration files, or is there?
>
> Thanks.
Thanks for the review. I was not aware of the .gitconfig use case.
I hit that paragraph while trying to enforce sparse-checkout
via .gitmodules. Yet the gitmodules doc is clear enough:
"See description of update command in git-submodule[1] for their
meaning. For security reasons, the !command form is not accepted here."
Clearly I followed the link in the first sentence without reading the
second :)
Perhaps the term "configuration variable" in
"The following update procedures are only available via the
submodule.<name>.update configuration variable:"
is more specific and technical than immediately obvious - I would have
expected the contents of .gitmodules to be a form of (repository)
configuration. But that is just bikeshedding.
>
>> Signed-off-by: Petar Vutov <pvutov@imap.cc>
>> ---
>> Documentation/git-submodule.txt | 6 ------
>> 1 file changed, 6 deletions(-)
>>
>> diff --git a/Documentation/git-submodule.txt b/Documentation/git-submodule.txt
>> index 4d3ab6b9f9..b40ac72f75 100644
>> --- a/Documentation/git-submodule.txt
>> +++ b/Documentation/git-submodule.txt
>> @@ -163,12 +163,6 @@ checked out in the submodule.
>> The following 'update' procedures are only available via the
>> `submodule.<name>.update` configuration variable:
>>
>> - custom command;; arbitrary shell command that takes a single
>> - argument (the sha1 of the commit recorded in the
>> - superproject) is executed. When `submodule.<name>.update`
>> - is set to '!command', the remainder after the exclamation mark
>> - is the custom command.
>> -
>> none;; the submodule is not updated.
>>
>> If the submodule is not yet initialized, and you just want to use the
next prev parent reply other threads:[~2023-07-12 17:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-12 16:02 [PATCH] doc: remove mentions of .gitmodules !command syntax pvutov
2023-07-12 16:40 ` Junio C Hamano
2023-07-12 17:30 ` Petar Vutov [this message]
2023-07-12 17:54 ` Junio C Hamano
2023-07-12 18:48 ` Petar Vutov
2023-07-12 20:33 ` Junio C Hamano
2023-07-13 19:20 ` Petar Vutov
2023-07-13 19:33 ` Junio C Hamano
2023-07-13 19:33 ` [PATCH v3 1/1] docs: highlight that .gitmodules does not support !command pvutov
2023-07-13 19:38 ` Junio C Hamano
2023-07-13 19:46 ` Petar Vutov
2023-07-13 19:55 ` Junio C Hamano
2023-07-13 20:34 ` Petar Vutov
2023-07-13 20:55 ` Junio C Hamano
2023-07-13 21:37 ` Junio C Hamano
2023-07-13 21:47 ` Petar Vutov
2023-07-13 22:28 ` Junio C Hamano
2023-07-14 22:03 ` Petar Vutov
2023-07-25 18:17 ` Junio C Hamano
2023-07-25 21:22 ` [PATCH v5] doc: " pvutov
2023-07-25 21:56 ` Junio C Hamano
2023-07-13 20:34 ` [PATCH v4] docs: " pvutov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d775437e-7fa3-189b-a1c3-4fd358dd9768@imap.cc \
--to=pvutov@imap.cc \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).