Commit 21a1828e authored by epriestley's avatar epriestley

Omit "--" in older fallback commands for Git remote URIs

Summary: Ref T13481. Some older versions of Git appear to not support "--" in these commands. Just drop it. This can lead to ambiguous results with certain obviously-silly remote names, but doesn't appear to lead to anything dangerous.

Test Plan: Will followup with user on ancient Git.

Maniphest Tasks: T13481

Differential Revision:
parent 70c0fd3f
......@@ -1636,8 +1636,16 @@ final class ArcanistGitAPI extends ArcanistRepositoryAPI {
// will be incorrect if a remote has different fetch and push URIs.
// However, this is very rare, and this result is almost always correct.
// Note that some old versions of Git do not parse "--" in this command
// properly. We omit it since it doesn't seem like there's anything
// dangerous an attacker can do even if they can choose a remote name to
// intentionally cause an argument misparse.
// This will cause the command to behave incorrectly for remotes with
// names which are also valid flags, like "--quiet".
list($err, $stdout) = $this->execManualLocal(
'ls-remote --get-url -- %s',
'ls-remote --get-url %s',
if (!$err) {
// The "git ls-remote --get-url" command just echoes the remote name
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment