May 23 2019
May 22 2019
Apr 15 2019
D20420 accepts these refs. We don't show notes in the UI, but we have no outstanding customer requests for this.
Sep 24 2018
Jul 16 2018
T1022 is possibly somewhat-vaguely-adjacent on symlink stuff.
@jcox do you know how to reproduce arc diff dying when you try to create certain types of diffs that move or remove symlinks? I think that's adjacent, if not identical to what's being talked about here.
Jul 13 2018
As a special case of this, if you commit an empty a.py file, then add content to it and also add a new empty b.py file in a commit on top of it, the new empty b.py will be detected as a copy of a.py based on the previous (empty) content of the file. I think Git is being pretty reasonable/consistent here, but this is potentially also expectation-defying:
Apr 3 2018
Duplicate of T8936?
Jan 26 2018
Jan 16 2018
I'm not totally sure all variants of this are fixed, but I don't know how to reproduce any remaining issues.
I filed a summary of this in the Mercurial upstream to waste someone else's time so I feel better:
This is an explicit behavior in Mercurial and dates from 2007:
The rule Git uses appears to literally be "does the filename include a space":
Dec 18 2017
Dec 13 2017
D18831 should upgrade this from "horrible fatal" to "reasonable-but-not-ideal normal page". This could still be improved (providing the user more information and taking them into the submodule redirect workflow) but it's normally difficult to end up here without trying.
Aug 14 2017
There doesn't seem to be anything actionable remaining on our end.
Aug 11 2017
This cropped up in the HN thread -- works in my browsers (although Phabricator does not recognize it as a valid link):
Thanks for the writeup :)
The reason the upstream projects aren't using -- is that it isn't portable. For example, Putty's ssh doesn't support it.
The full set of mitigations is now available in stable, and I've promoted 2017 Week 32 (Mid August).
See also this enormously valuable contribution I made to the Git LFS upstream in connection with T7789 some time ago:
Thanks for the detailed explanations! I should have thought more carefully. Note old Mercurial also fails to do correct shell quoting on Windows (It uses ' where Windows needs "). But Phabricator does not run on Windows, it shouldn't be an issue.
So, all three major VCS had the exact same CVE, which was "we invoke ssh command line, don't sanitize input, and don't specify -- anywhere"?
@indygreg Thanks for the heads up about subrepos -- I would not have otherwise guessed that hg pull might run git.
From this writeup:
The magic incantation I arrived at was slightly modified from one of the hg test cases:
Never mind, I was able to get hg pull -u to interact. I'm going to land, cherry-pick, and hotfix D18390.