On Mon, Nov 07, 2016 at 11:35:23AM -0800, Brandon Williams wrote:

> Previously the `GIT_ALLOW_PROTOCOL` environment variable was used to
> specify a whitelist of protocols to be used in clone/fetch/push
> commands.  This patch introduces new configuration options for more
> fine-grained control for allowing/disallowing protocols.  This also has
> the added benefit of allowing easier construction of a protocol
> whitelist on systems where setting an environment variable is
> non-trivial.
> 
> Now users can specify a policy to be used for each type of protocol via
> the 'protocol.<name>.allow' config option.  A default policy for all
> unconfigured protocols can be set with the 'protocol.allow' config
> option.  If no user configured default is made git, by default, will
> allow known-safe protocols (http, https, git, ssh, file), disallow

A minor nit, but in "If no user configured default is made git, by
default, will..." the second "by default" is redundant. And possibly
misleading. This _is_ the default case, there is no other way to change
it. :)

> +protocol.<name>.allow::
> +     Set a policy to be used by protocol <name> with clone/fetch/push 
> commands.

`<name>` isn't defined here at all.  I still think the list of protocols
should go here, but at the very least, you need to point the user to the
existing list in git(1).

>  `GIT_ALLOW_PROTOCOL`::
> -     If set, provide a colon-separated list of protocols which are
> -     allowed to be used with fetch/push/clone. This is useful to
> -     restrict recursive submodule initialization from an untrusted
> -     repository. Any protocol not mentioned will be disallowed (i.e.,
> -     this is a whitelist, not a blacklist). If the variable is not
> -     set at all, all protocols are enabled.  The protocol names
> -     currently used by git are:
> +     The preferred way to configure allowed protocols is done through the
> +     config interface, though this setting takes precedences.  See

s/precedences/precedence/.

I actually wonder if we should even drop "the preferred way" here. I had
initially thought we would want it just for backwards-compatibility, but
I actually think it is useful in its own right as a shorthand for more
complicated config (and since we have to keep it around effectively
forever anyway, there's no real cost to continuing to call it a feature
versus a deprecated feature).

I'm including a squashable patch at the end of this email with suggested
wording (and which also moves the protocol list).

> +     test_expect_success "clone $desc (env var has precedence)" '
> +             rm -rf tmp.git &&
> +             (
> +                     GIT_ALLOW_PROTOCOL=none &&
> +                     export GIT_ALLOW_PROTOCOL &&
> +                     test_must_fail git -c protocol.$proto.allow=always 
> clone --bare "$url" tmp.git
> +             )
> +     '

This test is a good addition in this round.

I suppose we could test also that GIT_ALLOW_PROTOCOL overrides
protocol.allow, but I'm not sure if there is a point. If git were a
black box, it's a thing I might check, but we know from the design that
this is an unlikely bug (and that the implementation is unlikely to
change in a way to cause it). So I could go either way.

> [...]

The rest of it looks good to me.

Squashable documentation suggestions are below.

-Peff

---
diff --git a/Documentation/config.txt b/Documentation/config.txt
index e89b33f9e..a9dc23f82 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -2331,7 +2331,28 @@ protocol.allow::
 --
 
 protocol.<name>.allow::
-       Set a policy to be used by protocol <name> with clone/fetch/push 
commands.
+       Set a policy to be used by protocol `<name>` with clone/fetch/push
+       commands. See `protocol.allow` above for the available policies.
++
+The protocol names currently used by git are:
++
+--
+  - `file`: any local file-based path (including `file://` URLs,
+           or local paths)
+
+  - `git`: the anonymous git protocol over a direct TCP
+    connection (or proxy, if configured)
+
+  - `ssh`: git over ssh (including `host:path` syntax,
+    `ssh://`, etc).
+
+  - `http`: git over http, both "smart http" and "dumb http".
+    Note that this does _not_ include `https`; if you want to configure
+    both, you must do so individually.
+
+  - any external helpers are named by their protocol (e.g., use
+    `hg` to allow the `git-remote-hg` helper)
+--
 
 pull.ff::
        By default, Git does not create an extra merge commit when merging
diff --git a/Documentation/git.txt b/Documentation/git.txt
index c9823e34a..c52cec840 100644
--- a/Documentation/git.txt
+++ b/Documentation/git.txt
@@ -1150,30 +1150,13 @@ of clones and fetches.
        cloning a repository to make a backup).
 
 `GIT_ALLOW_PROTOCOL`::
-       The preferred way to configure allowed protocols is done through the
-       config interface, though this setting takes precedences.  See
-       linkgit:git-config[1] for more details.  If set to a colon-separated
-       list of protocols, behave as if `protocol.allow` is set to `never`, and
-       each of the listed protocols has `protocol.<name>.allow` set to
-       `always`.  In other words, any protocol not mentioned will be
-       disallowed (i.e., this is a whitelist, not a blacklist).  The protocol
-       names currently used by git are:
-
-         - `file`: any local file-based path (including `file://` URLs,
-           or local paths)
-
-         - `git`: the anonymous git protocol over a direct TCP
-           connection (or proxy, if configured)
-
-         - `ssh`: git over ssh (including `host:path` syntax,
-           `ssh://`, etc).
-
-         - `http`: git over http, both "smart http" and "dumb http".
-           Note that this does _not_ include `https`; if you want both,
-           you should specify both as `http:https`.
-
-         - any external helpers are named by their protocol (e.g., use
-           `hg` to allow the `git-remote-hg` helper)
+       If set to a colon-separated list of protocols, behave as if
+       `protocol.allow` is set to `never`, and each of the listed
+       protocols has `protocol.<name>.allow` set to `always`
+       (overriding any existing configuration). In other words, any
+       protocol not mentioned will be disallowed (i.e., this is a
+       whitelist, not a blacklist). See the description of
+       `protocol.allow` in linkgit:git-config[1] for more details.
 
 `GIT_PROTOCOL_FROM_USER`::
        Set to 0 to prevent protocols used by fetch/push/clone which are

Reply via email to