)]}'
{
  "commit": "3ec804490a265f4c418a321428c12f3f18b7eff5",
  "tree": "0513ab09343450a3b9a5528c884a54933944fbed",
  "parents": [
    "765428699a5381f113d19974720bc91b5bfeaf1d"
  ],
  "author": {
    "name": "Jeff King",
    "email": "peff@peff.net",
    "time": "Sat Apr 29 08:36:44 2017 -0400"
  },
  "committer": {
    "name": "Junio C Hamano",
    "email": "gitster@pobox.com",
    "time": "Fri May 05 12:07:27 2017 +0900"
  },
  "message": "shell: disallow repo names beginning with dash\n\nWhen a remote server uses git-shell, the client side will\nconnect to it like:\n\n  ssh server \"git-upload-pack \u0027foo.git\u0027\"\n\nand we literally exec (\"git-upload-pack\", \"foo.git\"). In\nearly versions of upload-pack and receive-pack, we took a\nrepository argument and nothing else. But over time they\nlearned to accept dashed options. If the user passes a\nrepository name that starts with a dash, the results are\nconfusing at best (we complain of a bogus option instead of\na non-existent repository) and malicious at worst (the user\ncan start an interactive pager via \"--help\").\n\nWe could pass \"--\" to the sub-process to make sure the\nuser\u0027s argument is interpreted as a branch name. I.e.:\n\n  git-upload-pack -- -foo.git\n\nBut adding \"--\" automatically would make us inconsistent\nwith a normal shell (i.e., when git-shell is not in use),\nwhere \"-foo.git\" would still be an error. For that case, the\nclient would have to specify the \"--\", but they can\u0027t do so\nreliably, as existing versions of git-shell do not allow\nmore than a single argument.\n\nThe simplest thing is to simply disallow \"-\" at the start of\nthe repo name argument. This hasn\u0027t worked either with or\nwithout git-shell since version 1.0.0, and nobody has\ncomplained.\n\nNote that this patch just applies to do_generic_cmd(), which\nruns upload-pack, receive-pack, and upload-archive. There\nare two other types of commands that git-shell runs:\n\n  - do_cvs_cmd(), but this already restricts the argument to\n    be the literal string \"server\"\n\n  - admin-provided commands in the git-shell-commands\n    directory. We\u0027ll pass along arbitrary arguments there,\n    so these commands could have similar problems. But these\n    commands might actually understand dashed arguments, so\n    we cannot just block them here. It\u0027s up to the writer of\n    the commands to make sure they are safe. With great\n    power comes great responsibility.\n\nReported-by: Timo Schmid \u003ctschmid@ernw.de\u003e\nSigned-off-by: Jeff King \u003cpeff@peff.net\u003e\nSigned-off-by: Junio C Hamano \u003cgitster@pobox.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ace62e4b6503d821962242f9cf3bd9af22bc39b9",
      "old_mode": 33188,
      "old_path": "shell.c",
      "new_id": "c3bf8ec38a3e310a87df3831fb079094462abd81",
      "new_mode": 33188,
      "new_path": "shell.c"
    }
  ]
}