From 33cfccbbf35a56e190b79bdec5c85457c952a021 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Wed, 16 Sep 2015 13:13:12 -0400 Subject: submodule: allow only certain protocols for submodule fetches Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository). Let's restrict submodules to fetching from a known-good subset of protocols. Note that we apply this restriction to all submodule commands, whether the URL comes from .gitmodules or not. This is more restrictive than we need to be; for example, in the tests we run: git submodule add ext::... which should be trusted, as the URL comes directly from the command line provided by the user. But doing it this way is simpler, and makes it much less likely that we would miss a case. And since such protocols should be an exception (especially because nobody who clones from them will be able to update the submodules!), it's not likely to inconvenience anyone in practice. Reported-by: Blake Burkhart Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- git-submodule.sh | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'git-submodule.sh') diff --git a/git-submodule.sh b/git-submodule.sh index 36797c3c00..78c2740fdb 100755 --- a/git-submodule.sh +++ b/git-submodule.sh @@ -22,6 +22,15 @@ require_work_tree wt_prefix=$(git rev-parse --show-prefix) cd_to_toplevel +# Restrict ourselves to a vanilla subset of protocols; the URLs +# we get are under control of a remote repository, and we do not +# want them kicking off arbitrary git-remote-* programs. +# +# If the user has already specified a set of allowed protocols, +# we assume they know what they're doing and use that instead. +: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} +export GIT_ALLOW_PROTOCOL + command= branch= force= -- cgit v1.2.3