From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763228AbbA3TQ0 (ORCPT ); Fri, 30 Jan 2015 14:16:26 -0500 Received: from cloud.peff.net ([50.56.180.127]:43405 "HELO cloud.peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752259AbbA3TQY (ORCPT ); Fri, 30 Jan 2015 14:16:24 -0500 Date: Fri, 30 Jan 2015 14:16:21 -0500 From: Jeff King To: Junio C Hamano Cc: Git Mailing List , Josh Boyer , "Linux-Kernel@Vger. Kernel. Org" , twaugh@redhat.com, Linus Torvalds Subject: Re: [PATCH 2/1] apply: reject input that touches outside $cwd Message-ID: <20150130191621.GA30156@peff.net> References: <20150130182456.GA29477@peff.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 30, 2015 at 11:07:34AM -0800, Junio C Hamano wrote: > Jeff King writes: > > > It looks like your new --allow-uplevel goes to verify_path(). So this > > isn't just about "..", but it will also protect against applying a patch > > inside ".git". Which seems like a good thing to me, but I wonder if the > > option name is a little misleading. > > True; not just misleading but is incorrect, I would say. > Suggestions? I think just "--verify-paths" (and "--no-verify-paths", since the former would be the default) might be fine. That leaves the definition of "verify" vague, but I think that's OK. It used to mean "no '..' and no '.git'", and now it has been widened to include "no weird filesystem-specific variants of .git". If you wanted to avoid the negative being the commonly used option, maybe "--unsafe-paths" (or "--allow-unsafe-paths" if you like verbs). -Peff