git/Documentation/git-upload-archive.txt
Scott J. Goldman 7671b63211 add uploadarchive.allowUnreachable option
In commit ee27ca4, we started restricting remote git-archive
invocations to only accessing reachable commits. This
matches what upload-pack allows, but does restrict some
useful cases (e.g., HEAD:foo). We loosened this in 0f544ee,
which allows `foo:bar` as long as `foo` is a ref tip.
However, that still doesn't allow many useful things, like:

  1. Commits accessible from a ref, like `foo^:bar`, which
     are reachable

  2. Arbitrary sha1s, even if they are reachable.

We can do a full object-reachability check for these cases,
but it can be quite expensive if the client has sent us the
sha1 of a tree; we have to visit every sub-tree of every
commit in the worst case.

Let's instead give site admins an escape hatch, in case they
prefer the more liberal behavior.  For many sites, the full
object database is public anyway (e.g., if you allow dumb
walker access), or the site admin may simply decide the
security/convenience tradeoff is not worth it.

This patch adds a new config option to disable the
restrictions added in ee27ca4. It defaults to off, meaning
there is no change in behavior by default.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-02-28 09:55:37 -08:00

62 lines
2 KiB
Text

git-upload-archive(1)
====================
NAME
----
git-upload-archive - Send archive back to git-archive
SYNOPSIS
--------
[verse]
'git upload-archive' <directory>
DESCRIPTION
-----------
Invoked by 'git archive --remote' and sends a generated archive to the
other end over the Git protocol.
This command is usually not invoked directly by the end user. The UI
for the protocol is on the 'git archive' side, and the program pair
is meant to be used to get an archive from a remote repository.
SECURITY
--------
In order to protect the privacy of objects that have been removed from
history but may not yet have been pruned, `git-upload-archive` avoids
serving archives for commits and trees that are not reachable from the
repository's refs. However, because calculating object reachability is
computationally expensive, `git-upload-archive` implements a stricter
but easier-to-check set of rules:
1. Clients may request a commit or tree that is pointed to directly by
a ref. E.g., `git archive --remote=origin v1.0`.
2. Clients may request a sub-tree within a commit or tree using the
`ref:path` syntax. E.g., `git archive --remote=origin v1.0:Documentation`.
3. Clients may _not_ use other sha1 expressions, even if the end
result is reachable. E.g., neither a relative commit like `master^`
nor a literal sha1 like `abcd1234` is allowed, even if the result
is reachable from the refs.
Note that rule 3 disallows many cases that do not have any privacy
implications. These rules are subject to change in future versions of
git, and the server accessed by `git archive --remote` may or may not
follow these exact rules.
If the config option `uploadArchive.allowUnreachable` is true, these
rules are ignored, and clients may use arbitrary sha1 expressions.
This is useful if you do not care about the privacy of unreachable
objects, or if your object database is already publicly available for
access via non-smart-http.
OPTIONS
-------
<directory>::
The repository to get a tar archive from.
GIT
---
Part of the linkgit:git[1] suite