Page MenuHomePhabricator
Files F15413154

D20952.id49918.diff
No OneTemporary
Actions

D20952.id49918.diff
View Options

diff --git a/src/repository/api/ArcanistGitAPI.php b/src/repository/api/ArcanistGitAPI.php
--- a/src/repository/api/ArcanistGitAPI.php
+++ b/src/repository/api/ArcanistGitAPI.php
@@ -1636,8 +1636,16 @@
// will be incorrect if a remote has different fetch and push URIs.
// However, this is very rare, and this result is almost always correct.
+ // Note that some old versions of Git do not parse "--" in this command
+ // properly. We omit it since it doesn't seem like there's anything
+ // dangerous an attacker can do even if they can choose a remote name to
+ // intentionally cause an argument misparse.
+
+ // This will cause the command to behave incorrectly for remotes with
+ // names which are also valid flags, like "--quiet".
+
list($err, $stdout) = $this->execManualLocal(
- 'ls-remote --get-url -- %s',
+ 'ls-remote --get-url %s',
$remote_name);
if (!$err) {
// The "git ls-remote --get-url" command just echoes the remote name

File Metadata

Mime Type
text/plain
Expires
Thu, Mar 20, 5:16 PM (5 h, 6 m ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7708652
Default Alt Text
D20952.id49918.diff (1007 B)

Event Timeline

Phabricator · Built by Phacility