On Thu, Jan 17, 2019 at 9:32 AM Jeff King wrote:
>
> On Mon, Jan 14, 2019 at 05:25:07PM -0800, Jonathan Nieder wrote:
>
> > I've put a summary in https://crbug.com/git/28 to make this easier to
> > pick up where we left off. Summary from there of the upstream review:
> >
> > 1. Using urlencoding
On Mon, Jan 14, 2019 at 05:25:07PM -0800, Jonathan Nieder wrote:
> I've put a summary in https://crbug.com/git/28 to make this easier to
> pick up where we left off. Summary from there of the upstream review:
>
> 1. Using urlencoding to escape the slashes is fine, but what if we
>want to esc
Hi,
In August, 2018, Brandon Williams wrote:
> Commit 0383bbb901 (submodule-config: verify submodule names as paths,
> 2018-04-30) introduced some checks to ensure that submodule names don't
> include directory traversal components (e.g. "../").
>
> This addresses the vulnerability identified in
Brandon Williams writes:
> Introduce a function "strbuf_submodule_gitdir()" which callers can use
> to build a path to a submodule's gitdir. This allows for a single
> location where we can munge the submodule name (by url encoding it)
> before using it as part of a path.
I am not sure about th
Hi,
Brandon Williams wrote:
> Commit 0383bbb901 (submodule-config: verify submodule names as paths,
> 2018-04-30) introduced some checks to ensure that submodule names don't
> include directory traversal components (e.g. "../").
>
> This addresses the vulnerability identified in 0383bbb901 but th
Commit 0383bbb901 (submodule-config: verify submodule names as paths,
2018-04-30) introduced some checks to ensure that submodule names don't
include directory traversal components (e.g. "../").
This addresses the vulnerability identified in 0383bbb901 but the root
cause is that we use submodule n
6 matches
Mail list logo
