On Fri, Sep 11, 2020 at 08:39:54PM +0200, Stefan Sperling wrote:
> I had started writing a patch to allow configuring an editor via
> got.conf. But then I realized that this does not seem safe.
> 
> The editor is an arbitrary command and neither pledge nor unveil can
> impose any restrictions on it. If a repository is shared between users
> then arbitrary command execution as one of the other users would be
> possible by configuring a malicous editor command in the repository's
> got.conf file.
> 
> So instead of implementing this feature I would like to document
> why it is being rejected.
> 
> Am I being too paranoid?
> 

No, and it's a weird "feature" anyway. I can't imagine wanting to use
one editor on a repo and a different editor on another.

Do people actually do that? If the answer is yes, then the explanation
below would be needed. If the answer is no, I don't see a need, but
that's just me.

> diff 46215d2a90d69074a235db573e8d851eff0aa424 /home/stsp/src/got
> blob - 09df173f44966dfcc1a7f9dec3259ba5af9837d9
> file + got/got.conf.5
> --- got/got.conf.5
> +++ got/got.conf.5
> @@ -177,3 +177,19 @@ file.
>  .Xr got 1 ,
>  .Xr git-repository 5 ,
>  .Xr got-worktree 5
> +.Sh CAVEATS
> +.Nm
> +offers no way to configure the editor spawned by
> +.Cm got commit ,
> +.Cm got histedit ,
> +.Cm got import ,
> +or
> +.Cm got tag .
> +This is deliberate and prevents potential arbitrary command execution
> +as another user when repositories are shared between users.
> +Users should set their
> +.Ev VISUAL
> +or
> +.Ev EDITOR
> +environment variables instead.
> +

-- 

Tracey Emery