PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Uncategorized
58
Posts
47
Posters
2
Views
-
@DecaturNature to be clear: github doesn't apply patches to your code.* The way `git push` works is not based on patches. That is, as the level of surprise in the original post suggests, not how any of this works.
But `patch` and `git-am` do take arbitrary text input and apply it as a patch, and patches are not a good data format. `patch` for sure can be tricked.
*see next message
@DecaturNature Exception: github does apply patches in case of rebase/merge, but those are patches specifically generated by diffing trees, never patches provided by users (much less commit messages).
I'm not sure we even do that using any kind of custom code - probably we just use git.
I'm a GitHub employee.
To quibble with the framing of the original: the unsafe behavior is using `patch` to apply patches - good reminder to be super careful doing that. yow
-
@zekjur one calls it unsafe others an exploit 🤔
@TheOneDoc @zekjur
patch is an interpreter that runs as you and can write the file system ... -
@TheOneDoc @zekjur
patch is an interpreter that runs as you and can write the file system ...In this space it's safe to assume that everyone knows what patch and diff are.
Just in case I have to explicitly point it out workflows can have exploits not only software. In fact usually the human is the easiest exploit vector.
Edit: That sounded meaner than intended, sorry. Changed.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur this is a solved problem. all my commit messages are simply "updates" 👍
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur patch(1) has an excuse, but git-am should know better. Security bug in it IMHO.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur love me a good combined data and control channel, never once seen that backfire
+++ATH
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur Would this not be considered a git bug? It is not escaping the patch bit of the commit message properly, right?
-
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
@zekjur @gsuberland that... does not seem like a safe design
-
undefined oblomov@sociale.network shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@cwebber y0
-
@cmconseils I couldn't even tell if you were wrong, this one is tough to verify or falsify because there were like, 5 different "original" versions of Tetris.
Did they mean the PC version? Between NA and EU there were two different distributors who each made their own version, not counting the original Russian freeware version.
The "original" Nintendo version? There are three of those. One Nintendo made for the NES console, one for the GameBoy, and an unlicensed NES version made by Atari that had to be recalled over a rights dispute.
Did *any one* of those releases have a manual that gave names to the blocks? I don't know! Maybe?! 😂
-
@cwebber hello!
-
@cwebber No it's me, a series of tubes.
-
@jakobtougaard thanks
-
@cmconseils And you do - keep on posting 😁
-
@cwebber how long before you know it's interbot or internet?
-
just want to make people pee their pants. good jokes just happen to be a good way to accomplish that goal. 😂
