Page MenuHomePhabricator
Files F15404161

D20952.id49916.diff
No OneTemporary
Actions

D20952.id49916.diff
View Options

diff --git a/src/repository/api/ArcanistGitAPI.php b/src/repository/api/ArcanistGitAPI.php
--- a/src/repository/api/ArcanistGitAPI.php
+++ b/src/repository/api/ArcanistGitAPI.php
@@ -1636,8 +1636,16 @@
// will be incorrect if a remote has different fetch and push URIs.
// However, this is very rare, and this result is almost always correct.
+ // Note that some old versions of Git do not parse "--" in these commands
+ // properly. We omit it since it doesn't seem like there's anything
+ // dangerous an attacker can do even if they can choose a remote name to
+ // intentionally cause an argument misparse.
+
+ // This will cause the command to behave incorrectly for remotes with
+ // names which are also valid flags, like "--quiet".
+
list($err, $stdout) = $this->execManualLocal(
- 'ls-remote --get-url -- %s',
+ 'ls-remote --get-url %s',
$remote_name);
if (!$err) {
// The "git ls-remote --get-url" command just echoes the remote name
@@ -1660,7 +1668,7 @@
// aliases, but still works in the simplest (and most common) cases.
list($err, $stdout) = $this->execManualLocal(
- 'config -- %s',
+ 'config %s',
sprintf('remote.%s.url', $remote_name));
if (!$err) {
return $stdout;

File Metadata

Mime Type
text/plain
Expires
Mar 19 2025, 6:31 AM (5 w, 3 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7710942
Default Alt Text
D20952.id49916.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility