mirror of
https://github.com/git/git.git
synced 2024-11-16 06:03:44 +01:00
7671b63211
In commitee27ca4
, we started restricting remote git-archive invocations to only accessing reachable commits. This matches what upload-pack allows, but does restrict some useful cases (e.g., HEAD:foo). We loosened this in0f544ee
, which allows `foo:bar` as long as `foo` is a ref tip. However, that still doesn't allow many useful things, like: 1. Commits accessible from a ref, like `foo^:bar`, which are reachable 2. Arbitrary sha1s, even if they are reachable. We can do a full object-reachability check for these cases, but it can be quite expensive if the client has sent us the sha1 of a tree; we have to visit every sub-tree of every commit in the worst case. Let's instead give site admins an escape hatch, in case they prefer the more liberal behavior. For many sites, the full object database is public anyway (e.g., if you allow dumb walker access), or the site admin may simply decide the security/convenience tradeoff is not worth it. This patch adds a new config option to disable the restrictions added inee27ca4
. It defaults to off, meaning there is no change in behavior by default. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
62 lines
2 KiB
Text
62 lines
2 KiB
Text
git-upload-archive(1)
|
|
====================
|
|
|
|
NAME
|
|
----
|
|
git-upload-archive - Send archive back to git-archive
|
|
|
|
|
|
SYNOPSIS
|
|
--------
|
|
[verse]
|
|
'git upload-archive' <directory>
|
|
|
|
DESCRIPTION
|
|
-----------
|
|
Invoked by 'git archive --remote' and sends a generated archive to the
|
|
other end over the Git protocol.
|
|
|
|
This command is usually not invoked directly by the end user. The UI
|
|
for the protocol is on the 'git archive' side, and the program pair
|
|
is meant to be used to get an archive from a remote repository.
|
|
|
|
SECURITY
|
|
--------
|
|
|
|
In order to protect the privacy of objects that have been removed from
|
|
history but may not yet have been pruned, `git-upload-archive` avoids
|
|
serving archives for commits and trees that are not reachable from the
|
|
repository's refs. However, because calculating object reachability is
|
|
computationally expensive, `git-upload-archive` implements a stricter
|
|
but easier-to-check set of rules:
|
|
|
|
1. Clients may request a commit or tree that is pointed to directly by
|
|
a ref. E.g., `git archive --remote=origin v1.0`.
|
|
|
|
2. Clients may request a sub-tree within a commit or tree using the
|
|
`ref:path` syntax. E.g., `git archive --remote=origin v1.0:Documentation`.
|
|
|
|
3. Clients may _not_ use other sha1 expressions, even if the end
|
|
result is reachable. E.g., neither a relative commit like `master^`
|
|
nor a literal sha1 like `abcd1234` is allowed, even if the result
|
|
is reachable from the refs.
|
|
|
|
Note that rule 3 disallows many cases that do not have any privacy
|
|
implications. These rules are subject to change in future versions of
|
|
git, and the server accessed by `git archive --remote` may or may not
|
|
follow these exact rules.
|
|
|
|
If the config option `uploadArchive.allowUnreachable` is true, these
|
|
rules are ignored, and clients may use arbitrary sha1 expressions.
|
|
This is useful if you do not care about the privacy of unreachable
|
|
objects, or if your object database is already publicly available for
|
|
access via non-smart-http.
|
|
|
|
OPTIONS
|
|
-------
|
|
<directory>::
|
|
The repository to get a tar archive from.
|
|
|
|
GIT
|
|
---
|
|
Part of the linkgit:git[1] suite
|