mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

comment

Browse source
This commit is contained in:
Joey Hess 2022-08-19 13:06:38 -04:00
parent bfe75f0517
commit 4ca8e95773
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
1 changed files with 21 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

21
doc/bugs/git-annex-import_imports_outside_of_directory/comment_5_5b41c061786fd49c75d49aa2cc70bb9f._comment Normal file
View file

@ -0,0 +1,21 @@
[[!comment format=mdwn
username="joey"
subject="""comment 5"""
date="2022-08-19T17:01:42Z"
content="""
@skcin I'm very sorry that happened to you. I suppose it's not data loss,
but it sounds like a mess. You should be able to examine `git log` to find
what got imported, and run `git-annex unannex` on it, and then move it back
to the right place.
Seems like I underestimated the chance this would be a foot bomb.
I now think that git-annex import and the directory special remote should
skip over symlinks. Probably with an informative message to avoid silently
doing nothing in cases where users had been using them intentionally to
follow symlinks.
Such a check will be race prone, but that is only likely to matter if an
attacker is racing it to replace a file with a symlink, and as I discussed
in previous comments, such an attacker seems like they would be able to
accomplish the same thing with the write permission they must have.
"""]]