From: Junio C Hamano <gitster@pobox.com>
To: Richard Hansen <rhansen@bbn.com>
Cc: Michael Haggerty <mhagger@alum.mit.edu>,
Jeff King <peff@peff.net>,
git@vger.kernel.org, sitaramc@gmail.com
Subject: Re: [SECURITY PATCH] git-prompt.sh: don't put unsanitized branch names in $PS1
Date: Tue, 22 Apr 2014 12:47:57 -0700 [thread overview]
Message-ID: <xmqqr44p4042.fsf@gitster.dls.corp.google.com> (raw)
In-Reply-To: <5356B71A.6070500@bbn.com> (Richard Hansen's message of "Tue, 22 Apr 2014 14:38:18 -0400")
Richard Hansen <rhansen@bbn.com> writes:
>> and plan for transition to forbid them
>> everywhere in a next big version bump (it is too late for 2.0).
>
> Would it be acceptable to have a config option to forbid these in a
> non-major version bump?
Of course ;-) Because we try very hard to avoid a "flag day" change,
any "plan for transition" inevitably has to include what we need to
do _before_ the big version bump.
> If it's OK to have a config option, then here's one possible transition
> path (probably flawed, but my intent is to bootstrap discussion):
>
> 1. Add an option to forbid dangerous characters. The option defaults
> to disabled for compatibility. If the option is unset, print a
> warning upon encountering a ref name that would be forbidden.
> 2. Later, flip the default to enabled.
> 3. Later, in the weeks/months leading up to the next major version
> release, print the warning even if the config option is set to
> disabled.
Sounds fairly conservative and nice. We may want to treat creating
a new such ref and using an existing such ref differently, though,
and that might give us a better/smoother transition (as you are, I
am just thinking aloud).
For example, it might be sufficient to do these two things:
(1) upon an attempt to use an existing such ref, warn and encourage
renaming of the ref.
(2) upon an attempt to create a new one, error it out.
in the first step, and in either case, tell the user about the
loosening variable.
Going that route may shorten the time until the initial safety.
next prev parent reply other threads:[~2014-04-22 19:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-21 19:07 [SECURITY PATCH] git-prompt.sh: don't put unsanitized branch names in $PS1 Richard Hansen
2014-04-21 20:24 ` Jeff King
2014-04-21 21:07 ` Richard Hansen
2014-04-22 8:38 ` Michael Haggerty
2014-04-22 17:38 ` Junio C Hamano
2014-04-22 18:38 ` Richard Hansen
2014-04-22 19:47 ` Junio C Hamano [this message]
2014-04-21 22:23 ` Junio C Hamano
2014-04-21 22:33 ` Junio C Hamano
2014-04-21 22:58 ` Richard Hansen
2014-04-21 23:53 ` [SECURITY PATCH v2] " Richard Hansen
-- strict thread matches above, loose matches on Subject: below --
2014-04-24 18:40 [SECURITY PATCH] " Gábor Szeder
2014-04-25 7:37 ` Simon Oosthoek
2014-04-25 16:39 ` Richard Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqr44p4042.fsf@gitster.dls.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=mhagger@alum.mit.edu \
--cc=peff@peff.net \
--cc=rhansen@bbn.com \
--cc=sitaramc@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.