1
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-10-31 14:27:54 +01:00
git/Documentation
Blake Burkhart f4113cac0c http: limit redirection to protocol-whitelist
Previously, libcurl would follow redirection to any protocol
it was compiled for support with. This is desirable to allow
redirection from HTTP to HTTPS. However, it would even
successfully allow redirection from HTTP to SFTP, a protocol
that git does not otherwise support at all. Furthermore
git's new protocol-whitelisting could be bypassed by
following a redirect within the remote helper, as it was
only enforced at transport selection time.

This patch limits redirects within libcurl to HTTP, HTTPS,
FTP and FTPS. If there is a protocol-whitelist present, this
list is limited to those also allowed by the whitelist. As
redirection happens from within libcurl, it is impossible
for an HTTP redirect to a protocol implemented within
another remote helper.

When the curl version git was compiled with is too old to
support restrictions on protocol redirection, we warn the
user if GIT_ALLOW_PROTOCOL restrictions were requested. This
is a little inaccurate, as even without that variable in the
environment, we would still restrict SFTP, etc, and we do
not warn in that case. But anything else means we would
literally warn every time git accesses an http remote.

This commit includes a test, but it is not as robust as we
would hope. It redirects an http request to ftp, and checks
that curl complained about the protocol, which means that we
are relying on curl's specific error message to know what
happened. Ideally we would redirect to a working ftp server
and confirm that we can clone without protocol restrictions,
and not with them. But we do not have a portable way of
providing an ftp server, nor any other protocol that curl
supports (https is the closest, but we would have to deal
with certificates).

[jk: added test and version warning]

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25 15:30:39 -07:00
..
howto howto: document more tools for recovery corruption 2015-04-01 22:44:03 -07:00
RelNotes Git 2.3.9 2015-09-04 10:32:15 -07:00
technical Merge branch 'nd/split-index' 2014-12-22 12:28:11 -08:00
.gitattributes
.gitignore doc: generate a list of valid merge tools 2013-02-02 21:46:52 -08:00
asciidoc.conf Documentation: avoid poor-man's small caps GIT 2013-02-01 13:53:25 -08:00
blame-options.txt Documentation: change -L:<regex> to -L:<funcname> 2015-04-20 11:05:50 -07:00
build-docdep.perl
cat-texi.perl Documentation: Strip texinfo anchors to avoid duplicates 2013-04-03 16:14:19 -07:00
cmd-list.perl
CodingGuidelines Merge branch 'jg/cguide-we-cannot-count' into maint 2015-04-21 12:12:19 -07:00
config.txt Merge branch 'mg/doc-status-color-slot' into maint 2015-03-23 11:23:31 -07:00
date-formats.txt Correct word usage of "timezone" in "Documentation" directory 2013-11-12 10:47:17 -08:00
diff-config.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
diff-format.txt diff-format doc: a score can follow M for rewrite 2015-01-28 22:22:03 -08:00
diff-generate-patch.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
diff-options.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
docbook-xsl.css
docbook.xsl
everyday.txto doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
fetch-options.txt fetch: allow explicit --refmap to override configuration 2014-06-05 15:13:12 -07:00
fix-texi.perl
git-add.txt Documentation: list long options for -v and -n 2015-01-09 16:23:41 -08:00
git-am.txt Merge branch 'mm/am-c-doc' into maint 2015-03-06 14:57:56 -08:00
git-annotate.txt
git-apply.txt apply: reject input that touches outside the working area 2015-02-10 13:40:20 -08:00
git-archimport.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-archive.txt docs: clarify remote restrictions for git-upload-archive 2014-02-28 09:55:35 -08:00
git-bisect-lk2009.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-bisect.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-blame.txt docs/git-blame: explain more clearly the example pickaxe use 2014-02-11 11:03:07 -08:00
git-branch.txt Refer to branch.<name>.remote/merge when documenting --track 2013-09-09 11:03:01 -07:00
git-bundle.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-cat-file.txt cat-file: provide %(deltabase) batch format 2013-12-26 11:54:26 -08:00
git-check-attr.txt Merge branch 'jc/check-x-z' 2013-09-04 12:23:25 -07:00
git-check-ignore.txt check-ignore: clarify treatment of tracked files 2014-12-04 12:16:04 -08:00
git-check-mailmap.txt builtin: add git-check-mailmap command 2013-07-13 10:19:37 -07:00
git-check-ref-format.txt Add new @ shortcut for HEAD 2013-09-12 14:39:34 -07:00
git-checkout-index.txt
git-checkout.txt Documentation: @{-N} can refer to a commit 2014-01-21 13:50:00 -08:00
git-cherry-pick.txt cherry-pick: fix docs describing handling of empty commits 2015-03-30 21:49:51 -07:00
git-cherry.txt Documentation: revamp git-cherry(1) 2013-11-27 12:16:49 -08:00
git-citool.txt
git-clean.txt Merge branch 'mr/doc-clean-f-f' into maint 2015-03-13 22:56:12 -07:00
git-clone.txt clone: --dissociate option to mark that reference is only temporary 2014-10-15 14:34:45 -07:00
git-column.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-commit-tree.txt commit-tree: add and document --no-gpg-sign 2014-02-24 14:51:35 -08:00
git-commit.txt Merge branch 'jc/doc-commit-only' 2014-11-18 10:19:42 -08:00
git-config.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-count-objects.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-credential-cache--daemon.txt credential-cache: close stderr in daemon process 2014-09-16 11:11:58 -07:00
git-credential-cache.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-credential-store.txt docs/credential-store: s/--store/--file/ 2014-11-06 09:51:08 -08:00
git-credential.txt Documentation: make AsciiDoc links always point to HTML files 2013-09-06 14:49:06 -07:00
git-cvsexportcommit.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-cvsimport.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-cvsserver.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-daemon.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-describe.txt use 'commit-ish' instead of 'committish' 2013-09-04 15:03:03 -07:00
git-diff-files.txt
git-diff-index.txt Documentation/diff-index: mention two modes of operation 2013-05-20 15:50:44 -07:00
git-diff-tree.txt
git-diff.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-difftool.txt difftool: add support for --trust-exit-code 2014-10-28 10:36:57 -07:00
git-fast-export.txt Merge branch 'mh/doc-remote-helper-xref' 2014-11-19 13:47:56 -08:00
git-fast-import.txt Merge branch 'jn/doc-fast-import-no-16-octopus-limit' into maint 2015-04-21 12:12:17 -07:00
git-fetch-pack.txt Merge branch 'tb/doc-fetch-pack-url' into maint 2013-12-17 11:34:24 -08:00
git-fetch.txt docs: Explain the purpose of fetch's and pull's <refspec> parameter. 2014-06-12 09:59:13 -07:00
git-filter-branch.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-fmt-merge-msg.txt documentation: trivial style cleanups 2013-05-17 12:09:21 -07:00
git-for-each-ref.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-format-patch.txt format-patch: add "--signature-file=<file>" option 2014-05-27 12:38:32 -07:00
git-fsck-objects.txt
git-fsck.txt documentation: trivial style cleanups 2013-05-17 12:09:21 -07:00
git-gc.txt gc --aggressive: make --depth configurable 2014-03-31 10:26:24 -07:00
git-get-tar-commit-id.txt
git-grep.txt grep: add grep.fullName config variable 2014-03-20 12:38:00 -07:00
git-gui.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-hash-object.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-help.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-http-backend.txt Merge commit 'doc/http-backend: missing accent grave in literal mark-up' 2014-04-09 11:45:04 -07:00
git-http-fetch.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-http-push.txt
git-imap-send.txt imap-send: use cURL automatically when NO_OPENSSL defined 2015-03-10 15:19:05 -07:00
git-index-pack.txt clone: open a shortcut for connectivity check 2013-05-28 08:07:20 -07:00
git-init-db.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-init.txt Documentation: git-init: flesh out example 2014-08-08 13:17:42 -07:00
git-instaweb.txt
git-interpret-trailers.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-log.txt Documentation: change -L:<regex> to -L:<funcname> 2015-04-20 11:05:50 -07:00
git-ls-files.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-ls-remote.txt ls-remote doc: don't encourage use of branches-file 2013-06-23 00:33:58 -07:00
git-ls-tree.txt
git-mailinfo.txt git-mailinfo: add --message-id 2014-11-25 15:24:55 -08:00
git-mailsplit.txt
git-merge-base.txt merge-base: teach "--fork-point" mode 2013-10-29 13:06:08 -07:00
git-merge-file.txt Documentation/git-merge-file: document option "--diff3" 2013-08-09 14:19:59 -07:00
git-merge-index.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-merge-one-file.txt
git-merge-tree.txt use 'tree-ish' instead of 'treeish' 2013-09-04 15:02:56 -07:00
git-merge.txt merge: enable defaulttoupstream by default 2014-04-22 12:53:59 -07:00
git-mergetool--lib.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-mergetool.txt mergetool: document the default for --[no-]prompt 2014-04-24 11:29:05 -07:00
git-mktag.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-mktree.txt
git-mv.txt mv: better document side effects when moving a submodule 2014-01-07 14:33:04 -08:00
git-name-rev.txt use 'commit-ish' instead of 'committish' 2013-09-04 15:03:03 -07:00
git-notes.txt builtin/notes: add --allow-empty, to allow storing empty notes 2014-11-12 11:00:11 -08:00
git-p4.txt git p4 doc: use two-line style for options with multiple spellings 2014-01-22 08:06:20 -08:00
git-pack-objects.txt pack-objects: use --objects-edge-aggressive for shallow repos 2014-12-29 09:58:25 -08:00
git-pack-redundant.txt
git-pack-refs.txt Documentation: remove --prune from pack-refs examples 2013-07-18 16:23:46 -07:00
git-parse-remote.txt
git-patch-id.txt patch-id: make it stable against hunk reordering 2014-06-10 13:09:24 -07:00
git-prune-packed.txt Documentation: adjust document title underlining 2014-10-13 13:35:18 -07:00
git-prune.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-pull.txt docs: clarify "preserve" option wording for git-pull 2015-03-26 13:19:26 -07:00
git-push.txt Merge branch 'ph/push-doc-cas' into maint 2015-03-31 14:52:24 -07:00
git-quiltimport.txt Documentation: adjust document title underlining 2014-10-13 13:35:18 -07:00
git-read-tree.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-rebase.txt Merge branch 'ss/pull-rebase-preserve' into maint 2015-03-31 14:54:12 -07:00
git-receive-pack.txt signed push: allow stale nonce in stateless mode 2014-09-17 15:19:54 -07:00
git-reflog.txt Merge branch 'jc/prune-all' 2013-05-29 14:23:04 -07:00
git-relink.txt
git-remote-ext.txt doc: add some crossrefs between manual pages 2014-11-11 14:47:04 -08:00
git-remote-fd.txt doc: add some crossrefs between manual pages 2014-11-11 14:47:04 -08:00
git-remote-helpers.txto Rename {git- => git}remote-helpers.txt 2013-02-01 14:12:34 -08:00
git-remote-testgit.txt Merge branch 'jk/remote-helpers-doc' 2013-02-07 14:41:45 -08:00
git-remote.txt Merge branch 'mg/doc-remote-tags-or-not' into maint 2015-03-13 22:56:05 -07:00
git-repack.txt Merge branch 'jk/repack-pack-keep-objects' 2014-03-18 13:50:29 -07:00
git-replace.txt Merge branch 'cc/replace-graft' 2014-07-27 15:14:18 -07:00
git-request-pull.txt request-pull: documentation updates 2014-03-13 14:22:20 -07:00
git-rerere.txt docs: stop using asciidoc no-inline-literal 2012-04-26 13:19:06 -07:00
git-reset.txt Merge branch 'jl/nor-or-nand-and' 2014-04-08 12:00:28 -07:00
git-rev-list.txt rev-list: add an option to mark fewer edges as uninteresting 2014-12-29 09:57:55 -08:00
git-rev-parse.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-revert.txt parse-options: multi-word argh should use dash to separate words 2014-03-24 10:43:34 -07:00
git-rm.txt rm: better document side effects when removing a submodule 2014-01-07 14:34:06 -08:00
git-send-email.txt Merge branch 'aw/doc-smtp-ssl-cert-path' 2015-01-14 12:33:50 -08:00
git-send-pack.txt send-pack: take refspecs over stdin 2014-08-26 12:58:02 -07:00
git-sh-i18n--envsubst.txt
git-sh-i18n.txt
git-sh-setup.txt Merge branch 'jc/reflog-doc' 2013-10-18 13:50:12 -07:00
git-shell.txt shell doc: remove stray "+" in example 2014-05-08 10:26:26 -07:00
git-shortlog.txt git-shortlog.txt: make SYNOPSIS match log, update OPTIONS 2013-04-21 23:11:02 -07:00
git-show-branch.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-show-index.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-show-ref.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-show.txt Documentation/git-show.txt: include common diff options, like git-log.txt 2013-07-17 17:50:56 -07:00
git-stage.txt Documentation: adjust document title underlining 2014-10-13 13:35:18 -07:00
git-stash.txt stash doc: mention short form -k in save description 2014-02-24 09:13:30 -08:00
git-status.txt doc: fix 'git status --help' character quoting 2014-10-19 20:45:16 -07:00
git-stripspace.txt Documentation/git-stripspace: add synopsis for --comment-lines 2014-12-04 14:18:30 -08:00
git-submodule.txt submodule: improve documentation of update subcommand 2015-03-02 14:59:55 -08:00
git-svn.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
git-symbolic-ref.txt git symbolic-ref --delete $symref 2012-10-21 12:17:38 -07:00
git-tag.txt Merge branch 'maint-2.0' into maint 2014-10-07 13:40:51 -07:00
git-tools.txt doc: various spelling fixes 2013-04-12 12:00:52 -07:00
git-unpack-file.txt
git-unpack-objects.txt Merge branch 'vd/doc-unpack-objects' into maint 2013-11-07 14:37:36 -08:00
git-update-index.txt Merge branch 'po/doc-assume-unchanged' 2014-12-22 12:27:38 -08:00
git-update-ref.txt update-ref --stdin -z: deprecate interpreting the empty string as zeros 2014-04-07 12:09:13 -07:00
git-update-server-info.txt
git-upload-archive.txt add uploadarchive.allowUnreachable option 2014-02-28 09:55:37 -08:00
git-upload-pack.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-var.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-verify-commit.txt verify-commit: scriptable commit signature verification 2014-06-23 15:50:31 -07:00
git-verify-pack.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-verify-tag.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-web--browse.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-whatchanged.txt whatchanged: document its historical nature 2013-08-13 09:01:54 -07:00
git-write-tree.txt
git.txt http: limit redirection to protocol-whitelist 2015-09-25 15:30:39 -07:00
gitattributes.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
gitcli.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
gitcore-tutorial.txt doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
gitcredentials.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gitcvs-migration.txt doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
gitdiffcore.txt diffcore-pickaxe doc: document -S and -G properly 2013-06-03 10:53:11 -07:00
giteveryday.txt doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
gitglossary.txt doc: add 'everyday' to 'git help' 2014-10-10 16:02:26 -07:00
githooks.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
gitignore.txt Merge branch 'po/doc-assume-unchanged' 2014-12-22 12:27:38 -08:00
gitk.txt Documentation: change -L:<regex> to -L:<funcname> 2015-04-20 11:05:50 -07:00
gitmodules.txt submodule: improve documentation of update subcommand 2015-03-02 14:59:55 -08:00
gitnamespaces.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gitremote-helpers.txt doc: add some crossrefs between manual pages 2014-11-11 14:47:04 -08:00
gitrepository-layout.txt read-cache: split-index mode 2014-06-13 11:49:39 -07:00
gitrevisions.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gittutorial-2.txt Merge branch 'sn/tutorial-status-output-example' 2014-11-19 13:47:59 -08:00
gittutorial.txt Merge branch 'sn/tutorial-status-output-example' 2014-11-19 13:47:59 -08:00
gitweb.conf.txt Merge branch 'jz/gitweb-conf-doc-fix' into maint 2015-04-21 12:12:22 -07:00
gitweb.txt Documentation: fix documentation AsciiDoc links for external urls 2014-02-20 14:14:58 -08:00
gitworkflows.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
glossary-content.txt Documentation: typofixes 2014-11-04 13:14:44 -08:00
howto-index.sh howto-index.sh: use the $( ... ) construct for command substitution 2014-04-17 11:14:57 -07:00
i18n.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
install-doc-quick.sh
install-webdoc.sh install-webdoc.sh: use the $( ... ) construct for command substitution 2014-04-17 11:14:58 -07:00
line-range-format.txt Documentation: change -L:<regex> to -L:<funcname> 2015-04-20 11:05:50 -07:00
mailmap.txt Merge branch 'jk/mailmap-from-blob' 2013-01-05 23:41:42 -08:00
Makefile Documentation: fix version numbering 2015-01-22 13:44:14 -08:00
manpage-1.72.xsl
manpage-base-url.xsl.in
manpage-base.xsl
manpage-bold-literal.xsl
manpage-normal.xsl
manpage-quote-apos.xsl
manpage-suppress-sp.xsl
merge-config.txt Merge branch 'da/mergetool-docs' 2013-02-07 14:42:16 -08:00
merge-options.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
merge-strategies.txt Merge branch 'rr/doc-merge-strategies' into maint 2014-04-03 13:39:03 -07:00
pretty-formats.txt Merge branch 'bc/asciidoc-pretty-formats-fix' into maint 2014-10-29 10:35:10 -07:00
pretty-options.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
pull-fetch-param.txt docs: Explain the purpose of fetch's and pull's <refspec> parameter. 2014-06-12 09:59:13 -07:00
rev-list-options.txt Merge branch 'jc/doc-log-rev-list-options' into maint 2015-02-24 22:10:40 -08:00
revisions.txt Documentation: mention config sources for @{upstream} 2014-05-13 12:35:00 -07:00
sequencer.txt
SubmittingPatches Merge branch 'jc/submitting-patches-mention-send-email' into maint 2015-03-28 09:33:10 -07:00
urls-remotes.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
urls.txt Merge branch 'ft/doc-git-transport' into maint 2013-07-21 22:51:24 -07:00
user-manual.conf docs: monospace listings in docbook output 2012-08-07 14:30:52 -07:00
user-manual.txt Merge branch 'jm/doc-wording-tweaks' 2014-06-16 12:18:39 -07:00