revi-archive/phorge-arcanist
1
0
Fork 0
mirror of https://we.phorge.it/source/arcanist.git synced 2024-09-19 16:38:51 +02:00
Code Issues Releases Wiki Activity

Omit "--" in older fallback commands for Git remote URIs

Browse source 
Summary: Ref T13481. Some older versions of Git appear to not support "--" in these commands. Just drop it. This can lead to ambiguous results with certain obviously-silly remote names, but doesn't appear to lead to anything dangerous.

Test Plan: Will followup with user on ancient Git.

Maniphest Tasks: T13481

Differential Revision: https://secure.phabricator.com/D20952
This commit is contained in:
epriestley 2020-01-23 16:37:00 -08:00
parent 70c0fd3f22
commit 21a1828ea0
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/repository/api/ArcanistGitAPI.php
View file

@ -1636,8 +1636,16 @@ final class ArcanistGitAPI extends ArcanistRepositoryAPI {
// will be incorrect if a remote has different fetch and push URIs. // will be incorrect if a remote has different fetch and push URIs.
// However, this is very rare, and this result is almost always correct. // However, this is very rare, and this result is almost always correct.
// Note that some old versions of Git do not parse "--" in this command
// properly. We omit it since it doesn't seem like there's anything
// dangerous an attacker can do even if they can choose a remote name to
// intentionally cause an argument misparse.
// This will cause the command to behave incorrectly for remotes with
// names which are also valid flags, like "--quiet".
list($err, $stdout) = $this->execManualLocal( list($err, $stdout) = $this->execManualLocal(
'ls-remote --get-url -- %s', 'ls-remote --get-url %s',
$remote_name); $remote_name);
if (!$err) { if (!$err) {
// The "git ls-remote --get-url" command just echoes the remote name // The "git ls-remote --get-url" command just echoes the remote name