diff options
| -rw-r--r-- | Documentation/config.txt | 7 | ||||
| -rw-r--r-- | Documentation/git-upload-archive.txt | 6 | ||||
| -rw-r--r-- | archive.c | 13 | ||||
| -rwxr-xr-x | t/t5000-tar-tree.sh | 9 |
4 files changed, 33 insertions, 2 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt index 5f4d7939e..64b69eeb6 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -2291,6 +2291,13 @@ transfer.unpackLimit:: not set, the value of this variable is used instead. The default value is 100. +uploadarchive.allowUnreachable:: + If true, allow clients to use `git archive --remote` to request + any tree, whether reachable from the ref tips or not. See the + discussion in the `SECURITY` section of + linkgit:git-upload-archive[1] for more details. Defaults to + `false`. + uploadpack.hiderefs:: String(s) `upload-pack` uses to decide which refs to omit from its initial advertisement. Use more than one diff --git a/Documentation/git-upload-archive.txt b/Documentation/git-upload-archive.txt index 8ae65d80c..cbef61ba8 100644 --- a/Documentation/git-upload-archive.txt +++ b/Documentation/git-upload-archive.txt @@ -46,6 +46,12 @@ implications. These rules are subject to change in future versions of git, and the server accessed by `git archive --remote` may or may not follow these exact rules. +If the config option `uploadArchive.allowUnreachable` is true, these +rules are ignored, and clients may use arbitrary sha1 expressions. +This is useful if you do not care about the privacy of unreachable +objects, or if your object database is already publicly available for +access via non-smart-http. + OPTIONS ------- <directory>:: @@ -17,6 +17,7 @@ static char const * const archive_usage[] = { static const struct archiver **archivers; static int nr_archivers; static int alloc_archivers; +static int remote_allow_unreachable; void register_archiver(struct archiver *ar) { @@ -257,7 +258,7 @@ static void parse_treeish_arg(const char **argv, unsigned char sha1[20]; /* Remotes are only allowed to fetch actual refs */ - if (remote) { + if (remote && !remote_allow_unreachable) { char *ref = NULL; const char *colon = strchr(name, ':'); int refnamelen = colon ? colon - name : strlen(name); @@ -401,6 +402,14 @@ static int parse_archive_args(int argc, const char **argv, return argc; } +static int git_default_archive_config(const char *var, const char *value, + void *cb) +{ + if (!strcmp(var, "uploadarchive.allowunreachable")) + remote_allow_unreachable = git_config_bool(var, value); + return git_default_config(var, value, cb); +} + int write_archive(int argc, const char **argv, const char *prefix, int setup_prefix, const char *name_hint, int remote) { @@ -411,7 +420,7 @@ int write_archive(int argc, const char **argv, const char *prefix, if (setup_prefix && prefix == NULL) prefix = setup_git_directory_gently(&nongit); - git_config(git_default_config, NULL); + git_config(git_default_archive_config, NULL); init_tar_archiver(); init_zip_archiver(); diff --git a/t/t5000-tar-tree.sh b/t/t5000-tar-tree.sh index 05f011d38..1cf0a4e10 100755 --- a/t/t5000-tar-tree.sh +++ b/t/t5000-tar-tree.sh @@ -213,6 +213,15 @@ test_expect_success 'clients cannot access unreachable commits' ' test_must_fail git archive --remote=. $sha1 >remote.tar ' +test_expect_success 'upload-archive can allow unreachable commits' ' + test_commit unreachable1 && + sha1=`git rev-parse HEAD` && + git reset --hard HEAD^ && + git archive $sha1 >remote.tar && + test_config uploadarchive.allowUnreachable true && + git archive --remote=. $sha1 >remote.tar +' + test_expect_success 'setup tar filters' ' git config tar.tar.foo.command "tr ab ba" && git config tar.bar.command "tr ab ba" && |