From 56dd1b297c3e5cdbb477acc7435d6aa5749f33f2 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Sat, 18 Mar 2017 17:29:44 -0700
Subject: [PATCH] (stable) Don't use "--" to separate flags and arguments in
 "git ls-remote"

Summary: Fixes T12416. See that task for discussion. Slightly older versions of `git` do not appear to support use of `--` to separate flags and arguments.

Test Plan:
  - Ran `bin/repository update PHABX`.
  - In T12416, had a user with Git 2.1.4 confirm that `git ls-remote X` worked while `git ls-remote -- X` failed.
  - Read `git help ls-remote` to look for any kind of suspicious `--destroy-the-world` flags, didn't see any that made me uneasy.

Reviewers: chad, avivey

Reviewed By: avivey

Maniphest Tasks: T12416

Differential Revision: https://secure.phabricator.com/D17508
---
 .../repository/engine/PhabricatorRepositoryPullEngine.php    | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php b/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
index 1219e678d5..b144ecfd96 100644
--- a/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
+++ b/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php
@@ -392,8 +392,11 @@ final class PhabricatorRepositoryPullEngine
   private function loadGitRemoteRefs(PhabricatorRepository $repository) {
     $remote_envelope = $repository->getRemoteURIEnvelope();
 
+    // NOTE: "git ls-remote" does not support "--" until circa January 2016.
+    // See T12416. None of the flags to "ls-remote" appear dangerous, and
+    // other checks make it difficult to configure a suspicious remote URI.
     list($stdout) = $repository->execxRemoteCommand(
-      'ls-remote -- %P',
+      'ls-remote %P',
       $remote_envelope);
 
     $map = array();