From: Tracey Emery Subject: Re: editor in got.conf To: gameoftrees@openbsd.org Date: Fri, 11 Sep 2020 16:38:36 -0600 On Fri, Sep 11, 2020 at 08:39:54PM +0200, Stefan Sperling wrote: > I had started writing a patch to allow configuring an editor via > got.conf. But then I realized that this does not seem safe. > > The editor is an arbitrary command and neither pledge nor unveil can > impose any restrictions on it. If a repository is shared between users > then arbitrary command execution as one of the other users would be > possible by configuring a malicous editor command in the repository's > got.conf file. > > So instead of implementing this feature I would like to document > why it is being rejected. > > Am I being too paranoid? > No, and it's a weird "feature" anyway. I can't imagine wanting to use one editor on a repo and a different editor on another. Do people actually do that? If the answer is yes, then the explanation below would be needed. If the answer is no, I don't see a need, but that's just me. > diff 46215d2a90d69074a235db573e8d851eff0aa424 /home/stsp/src/got > blob - 09df173f44966dfcc1a7f9dec3259ba5af9837d9 > file + got/got.conf.5 > --- got/got.conf.5 > +++ got/got.conf.5 > @@ -177,3 +177,19 @@ file. > .Xr got 1 , > .Xr git-repository 5 , > .Xr got-worktree 5 > +.Sh CAVEATS > +.Nm > +offers no way to configure the editor spawned by > +.Cm got commit , > +.Cm got histedit , > +.Cm got import , > +or > +.Cm got tag . > +This is deliberate and prevents potential arbitrary command execution > +as another user when repositories are shared between users. > +Users should set their > +.Ev VISUAL > +or > +.Ev EDITOR > +environment variables instead. > + -- Tracey Emery