Page MenuHomePhabricator

Git may interpret refnames as flags in some commands which accept both refs and paths
Closed, ResolvedPublic


Via HackerOne. See

Some git commands accept both a ref selector (or some similar symbol) and a list of paths. For example:

$ git log <ref selector> -- <path> <path> ...

These commands use -- to disambiguate the ref selector from the paths. However, they have no mechanism for disambiguating the ref selector from the flags.

If a string like --example-flag is passed as a ref selector, Git may interpret it as a flag rather than a ref selector.

Affected commands include:

  • blame
  • diff
  • diff-tree
  • grep
  • log
  • ls-tree

Although log can be invoked with --stdin to disambiguate flags, ref selectors, and paths, not all commands have a mode like this.

Related Objects

Event Timeline

epriestley triaged this task as Normal priority.Jan 12 2021, 6:26 PM
epriestley created this task.
epriestley created this object with visibility "epriestley (Evan Priestley)".
epriestley changed the visibility from "epriestley (Evan Priestley)" to "All Users".
epriestley added a project: Security.
epriestley changed the visibility from "All Users" to "Public (No Login Required)".Jan 15 2021, 6:45 PM

My apologies if this is not the right place to post about this, but seems like due to ea9cb0b625fb6922c45aecbfdebacc60788ed92d we now get following error message when visiting diffusion repository page, i.e. URL /diffusion/$REPOID/:

[2021-01-19 11:05:26] EXCEPTION: (CommandException) Command failed with error #128!
git ls-tree -z -l COMMIT_ID_MASKED -- ''


fatal: empty string is not a valid pathspec. please use . instead if you meant to match all paths
 at [<arcanist>/src/future/exec/ExecFuture.php:421]
[19-Jan-2021 11:05:26 UTC] arcanist(head=master, ref.master=b2e715fc5a9c), phabricator(head=master, ref.master=ea9cb0b625fb, custom=4)
[19-Jan-2021 11:05:26 UTC]   #0 <#2> ExecFuture::raiseResultError(array) called at [<arcanist>/src/future/exec/ExecFuture.php:325]
[19-Jan-2021 11:05:26 UTC]   #1 <#2> ExecFuture::resolvex() called at [<phabricator>/src/applications/repository/storage/PhabricatorRepository.php:533]
[19-Jan-2021 11:05:26 UTC]   #2 <#2> PhabricatorRepository::execxLocalCommand(string, string, NULL) called at [<phabricator>/src/applications/diffusion/conduit/DiffusionBrowseQueryConduitAPIMethod.php:125]
[19-Jan-2021 11:05:26 UTC]   #3 <#2> DiffusionBrowseQueryConduitAPIMethod::getGitResult(ConduitAPIRequest) called at [<phabricator>/src/applications/diffusion/conduit/DiffusionQueryConduitAPIMethod.php:155]
[19-Jan-2021 11:05:26 UTC]   #4 <#2> DiffusionQueryConduitAPIMethod::getResult(ConduitAPIRequest) called at [<phabricator>/src/applications/diffusion/conduit/DiffusionBrowseQueryConduitAPIMethod.php:31]
[19-Jan-2021 11:05:26 UTC]   #5 <#2> DiffusionBrowseQueryConduitAPIMethod::getResult(ConduitAPIRequest) called at [<phabricator>/src/applications/diffusion/conduit/DiffusionQueryConduitAPIMethod.php:110]
[19-Jan-2021 11:05:26 UTC]   #6 <#2> DiffusionQueryConduitAPIMethod::execute(ConduitAPIRequest) called at [<phabricator>/src/applications/conduit/method/ConduitAPIMethod.php:131]
[19-Jan-2021 11:05:26 UTC]   #7 <#2> ConduitAPIMethod::executeMethod(ConduitAPIRequest) called at [<phabricator>/src/applications/conduit/call/ConduitCall.php:131]
[19-Jan-2021 11:05:26 UTC]   #8 <#2> ConduitCall::executeMethod() called at [<phabricator>/src/applications/conduit/call/ConduitCall.php:81]
[19-Jan-2021 11:05:26 UTC]   #9 <#2> ConduitCall::execute() called at [<phabricator>/src/applications/conduit/controller/PhabricatorConduitAPIController.php:83]
[19-Jan-2021 11:05:26 UTC]   #10 phlog(CommandException) called at [<phabricator>/src/applications/conduit/controller/PhabricatorConduitAPIController.php:111]
[19-Jan-2021 11:05:26 UTC]   #11 PhabricatorConduitAPIController::handleRequest(AphrontRequest) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:288]
[19-Jan-2021 11:05:26 UTC]   #12 AphrontApplicationConfiguration::processRequest(AphrontRequest, PhutilDeferredLog, AphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:208]
[19-Jan-2021 11:05:26 UTC]   #13 AphrontApplicationConfiguration::runHTTPRequest(AphrontPHPHTTPSink) called at [<phabricator>/webroot/index.php:35]

Could this be fixed ?


It works with Git 2.1.4 (shipped with Debian Wheezy), but not with Git 2.20.1 (shipped with Debian Buster), or Git 2.30.0 (latest version).

Please use Discourse to report bugs.

Is Discourse the way to report bug instead of Maniphest? /me curious

Yes. I closed down registration on this install ( several years ago because the overwhelming majority of users who registered accounts here didn't read or follow the rules. Access to is now invite-only.

I believe these were all hunted down.