From c30fe65ee9c8a4cad3fdbd09032af926384f847f Mon Sep 17 00:00:00 2001 From: epriestley Date: Tue, 19 Apr 2016 06:55:42 -0700 Subject: [PATCH] Remove the warning about the Git 2GB pathname issue Summary: Ref T10832. In practice, `git --version` is not a useful test for this issue: - Vendors like Debian have backported the patch into custom versions like `0.0.0.1-debian-lots-of-patches.3232`. - Vendors like Ubuntu distribute multiple different versions which report the same string from `git --version`, some of which are patched and some of which are not. In other cases, we can perform an empirical test for the vulnerability. Here, we can not, because we can't write a 2GB path in a reasonable amount of time. Since vendors (other than Apple) //generally// seem to be on top of this and any warning we try to raise based on `git --version` will frequently be incorrect, don't raise this warning. I'll note this in the changelog instead. Test Plan: Looked at setup issues, no more warning for vulnerable git version. Reviewers: chad Reviewed By: chad Maniphest Tasks: T10832 Differential Revision: https://secure.phabricator.com/D15756 --- .../config/check/PhabricatorBinariesSetupCheck.php | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/applications/config/check/PhabricatorBinariesSetupCheck.php b/src/applications/config/check/PhabricatorBinariesSetupCheck.php index c3c0740cfa..0d577b5297 100644 --- a/src/applications/config/check/PhabricatorBinariesSetupCheck.php +++ b/src/applications/config/check/PhabricatorBinariesSetupCheck.php @@ -102,14 +102,7 @@ final class PhabricatorBinariesSetupCheck extends PhabricatorSetupCheck { $version = null; switch ($vcs['versionControlSystem']) { case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT: - $bad_versions = array( - '< 2.7.4' => pht( - 'Prior to 2.7.4, Git contains two remote code execution '. - 'vulnerabilities which allow an attacker to take control of a '. - 'system by crafting a commit which affects very long paths, '. - 'then pushing it or tricking a victim into fetching it. This '. - 'is a severe security vulnerability.'), - ); + $bad_versions = array(); list($err, $stdout, $stderr) = exec_manual('git --version'); $version = trim(substr($stdout, strlen('git version '))); break;