Revision 3ec804490a265f4c418a321428c12f3f18b7eff5 authored by Jeff King on 29 April 2017, 12:36:44 UTC, committed by Junio C Hamano on 05 May 2017, 03:07:27 UTC
When a remote server uses git-shell, the client side will
connect to it like:
ssh server "git-upload-pack 'foo.git'"
and we literally exec ("git-upload-pack", "foo.git"). In
early versions of upload-pack and receive-pack, we took a
repository argument and nothing else. But over time they
learned to accept dashed options. If the user passes a
repository name that starts with a dash, the results are
confusing at best (we complain of a bogus option instead of
a non-existent repository) and malicious at worst (the user
can start an interactive pager via "--help").
We could pass "--" to the sub-process to make sure the
user's argument is interpreted as a branch name. I.e.:
git-upload-pack -- -foo.git
But adding "--" automatically would make us inconsistent
with a normal shell (i.e., when git-shell is not in use),
where "-foo.git" would still be an error. For that case, the
client would have to specify the "--", but they can't do so
reliably, as existing versions of git-shell do not allow
more than a single argument.
The simplest thing is to simply disallow "-" at the start of
the repo name argument. This hasn't worked either with or
without git-shell since version 1.0.0, and nobody has
complained.
Note that this patch just applies to do_generic_cmd(), which
runs upload-pack, receive-pack, and upload-archive. There
are two other types of commands that git-shell runs:
- do_cvs_cmd(), but this already restricts the argument to
be the literal string "server"
- admin-provided commands in the git-shell-commands
directory. We'll pass along arbitrary arguments there,
so these commands could have similar problems. But these
commands might actually understand dashed arguments, so
we cannot just block them here. It's up to the writer of
the commands to make sure they are safe. With great
power comes great responsibility.
Reported-by: Timo Schmid <tschmid@ernw.de>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
1 parent 7654286
git-fsck.txt
git-fsck(1)
===========
NAME
----
git-fsck - Verifies the connectivity and validity of the objects in the database
SYNOPSIS
--------
[verse]
'git fsck' [--tags] [--root] [--unreachable] [--cache] [--no-reflogs]
[--[no-]full] [--strict] [--verbose] [--lost-found]
[--[no-]dangling] [--[no-]progress] [<object>*]
DESCRIPTION
-----------
Verifies the connectivity and validity of the objects in the database.
OPTIONS
-------
<object>::
An object to treat as the head of an unreachability trace.
+
If no objects are given, 'git fsck' defaults to using the
index file, all SHA-1 references in `refs` namespace, and all reflogs
(unless --no-reflogs is given) as heads.
--unreachable::
Print out objects that exist but that aren't reachable from any
of the reference nodes.
--[no-]dangling::
Print objects that exist but that are never 'directly' used (default).
`--no-dangling` can be used to omit this information from the output.
--root::
Report root nodes.
--tags::
Report tags.
--cache::
Consider any object recorded in the index also as a head node for
an unreachability trace.
--no-reflogs::
Do not consider commits that are referenced only by an
entry in a reflog to be reachable. This option is meant
only to search for commits that used to be in a ref, but
now aren't, but are still in that corresponding reflog.
--full::
Check not just objects in GIT_OBJECT_DIRECTORY
($GIT_DIR/objects), but also the ones found in alternate
object pools listed in GIT_ALTERNATE_OBJECT_DIRECTORIES
or $GIT_DIR/objects/info/alternates,
and in packed Git archives found in $GIT_DIR/objects/pack
and corresponding pack subdirectories in alternate
object pools. This is now default; you can turn it off
with --no-full.
--strict::
Enable more strict checking, namely to catch a file mode
recorded with g+w bit set, which was created by older
versions of Git. Existing repositories, including the
Linux kernel, Git itself, and sparse repository have old
objects that triggers this check, but it is recommended
to check new projects with this flag.
--verbose::
Be chatty.
--lost-found::
Write dangling objects into .git/lost-found/commit/ or
.git/lost-found/other/, depending on type. If the object is
a blob, the contents are written into the file, rather than
its object name.
--[no-]progress::
Progress status is reported on the standard error stream by
default when it is attached to a terminal, unless
--no-progress or --verbose is specified. --progress forces
progress status even if the standard error stream is not
directed to a terminal.
DISCUSSION
----------
git-fsck tests SHA-1 and general object sanity, and it does full tracking
of the resulting reachability and everything else. It prints out any
corruption it finds (missing or bad objects), and if you use the
'--unreachable' flag it will also print out objects that exist but that
aren't reachable from any of the specified head nodes (or the default
set, as mentioned above).
Any corrupt objects you will have to find in backups or other archives
(i.e., you can just remove them and do an 'rsync' with some other site in
the hopes that somebody else has the object you have corrupted).
Extracted Diagnostics
---------------------
expect dangling commits - potential heads - due to lack of head information::
You haven't specified any nodes as heads so it won't be
possible to differentiate between un-parented commits and
root nodes.
missing sha1 directory '<dir>'::
The directory holding the sha1 objects is missing.
unreachable <type> <object>::
The <type> object <object>, isn't actually referred to directly
or indirectly in any of the trees or commits seen. This can
mean that there's another root node that you're not specifying
or that the tree is corrupt. If you haven't missed a root node
then you might as well delete unreachable nodes since they
can't be used.
missing <type> <object>::
The <type> object <object>, is referred to but isn't present in
the database.
dangling <type> <object>::
The <type> object <object>, is present in the database but never
'directly' used. A dangling commit could be a root node.
sha1 mismatch <object>::
The database has an object who's sha1 doesn't match the
database value.
This indicates a serious data integrity problem.
Environment Variables
---------------------
GIT_OBJECT_DIRECTORY::
used to specify the object database root (usually $GIT_DIR/objects)
GIT_INDEX_FILE::
used to specify the index file of the index
GIT_ALTERNATE_OBJECT_DIRECTORIES::
used to specify additional object database roots (usually unset)
GIT
---
Part of the linkgit:git[1] suite
Computing file changes ...
