mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Remove the warning about the Git 2GB pathname issue
Summary: Ref T10832. In practice, `git --version` is not a useful test for this issue: - Vendors like Debian have backported the patch into custom versions like `0.0.0.1-debian-lots-of-patches.3232`. - Vendors like Ubuntu distribute multiple different versions which report the same string from `git --version`, some of which are patched and some of which are not. In other cases, we can perform an empirical test for the vulnerability. Here, we can not, because we can't write a 2GB path in a reasonable amount of time. Since vendors (other than Apple) //generally// seem to be on top of this and any warning we try to raise based on `git --version` will frequently be incorrect, don't raise this warning. I'll note this in the changelog instead. Test Plan: Looked at setup issues, no more warning for vulnerable git version. Reviewers: chad Reviewed By: chad Maniphest Tasks: T10832 Differential Revision: https://secure.phabricator.com/D15756
This commit is contained in:
parent
575c01373e
commit
c30fe65ee9
1 changed files with 1 additions and 8 deletions
|
@ -102,14 +102,7 @@ final class PhabricatorBinariesSetupCheck extends PhabricatorSetupCheck {
|
|||
$version = null;
|
||||
switch ($vcs['versionControlSystem']) {
|
||||
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
|
||||
$bad_versions = array(
|
||||
'< 2.7.4' => pht(
|
||||
'Prior to 2.7.4, Git contains two remote code execution '.
|
||||
'vulnerabilities which allow an attacker to take control of a '.
|
||||
'system by crafting a commit which affects very long paths, '.
|
||||
'then pushing it or tricking a victim into fetching it. This '.
|
||||
'is a severe security vulnerability.'),
|
||||
);
|
||||
$bad_versions = array();
|
||||
list($err, $stdout, $stderr) = exec_manual('git --version');
|
||||
$version = trim(substr($stdout, strlen('git version ')));
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue