From f07e2ce87c13f9debdab241578cbdedb72bd7a5f Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 17 Oct 2016 16:30:43 -0400 Subject: [PATCH] comment --- ..._ab16dfb6c3fe2a70ddfb0cee287c6127._comment | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 doc/todo/bittorrent__58___support_offline_operation_and_verification/comment_1_ab16dfb6c3fe2a70ddfb0cee287c6127._comment diff --git a/doc/todo/bittorrent__58___support_offline_operation_and_verification/comment_1_ab16dfb6c3fe2a70ddfb0cee287c6127._comment b/doc/todo/bittorrent__58___support_offline_operation_and_verification/comment_1_ab16dfb6c3fe2a70ddfb0cee287c6127._comment new file mode 100644 index 0000000000..47eddfaeac --- /dev/null +++ b/doc/todo/bittorrent__58___support_offline_operation_and_verification/comment_1_ab16dfb6c3fe2a70ddfb0cee287c6127._comment @@ -0,0 +1,35 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2016-10-17T20:05:51Z" + content=""" +The filename **sanitization** is needed for security reasons. A +bittorrent file could contain `../` and similar evil which should not be +allowed to be written to disk as-is. Or control characters which could +cause an exploit via terminal key remapping. Or filenames starting with +dashes to make an unguarded `rm *` end up expanding to `rm -rf something`. + +I'd not be surprised if whatever bittorrent program you used to download +that does some filename sanitization too. Opinions on safe sanitization +will vary, so it's not practical to expect git-annex and multiple +bittorrent programs to behave identically. + +---- + +It would be possible to make `addurl --file` usable with a multi-file +torrent. Something like: + + git annex addurl http://example.com/foo.torrent --file bar.mkv + That url contains multiple files; pick the one that corresponds to + local file "bar.mkv", and pass it in the --subfile option + bar.sub + bar.mkv + README.txt + Eg: git annex addurl 'http://example.com/foo.torrent' --file 'bar.mkv' --subfile 'bar.mkv' + +Of course this could be skipped if the torrent only contains one file +with the same size and name as the `--file` file. + +I don't know if such an interface would be too annoying to be worth +using in your use case or not? +"""]]